-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathbackend.py
87 lines (69 loc) · 3.29 KB
/
backend.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
import os
import cherrypy
import app.TestlinkApplication as TestlinkApplication
import app.TestlinkFileWriter as XMLWriter
import app.TestlinkConfig as TestlinkConfig
import util.TestlinkStringHelper as Helper
import data.TestlinkTestcase as TestCase
import data.TestlinkTeststep as TestStep
# ======================================================================================================================
# Server-Tools
# ======================================================================================================================
def secure_headers():
"""
Security headers
1) Strict-Transport-Security -> HTTPS only
2) X-Frame-Options -> NO embedding
3) X-XSS-Protection -> NO Cross Site Scripting
4) Content-Security-Policy -> Shield from attacks
5) Server -> empty cherry-py server field
6) X-Permitted-Cross-Domain-Policies -> Forbid cross-domain shenanigans
"""
cherrypy.response.headers["Strict-Transport-Security"] = "max-age=31536000; includeSubDomains"
cherrypy.response.headers["X-Frame-Options"] = "DENY"
cherrypy.response.headers["X-XSS-Protection"] = "1; mode=block"
cherrypy.response.headers["Content-Security-Policy"] = "default-app 'self'"
cherrypy.response.headers["Server"] = "none"
cherrypy.response.headers["X-Permitted-Cross-Domain-Policies"] = "none"
def CORS():
""" Handles CORS (Cross-Origin-Resource-Sharing) for Frontend(JavaScript)-Requests
and permits use of "Name"-Header"""
cherrypy.response.headers["Access-Control-Allow-Origin"] = "*"
cherrypy.response.headers["Access-Control-Allow-Methods"] = "GET, OPTIONS"
cherrypy.response.headers["Access-Control-Expose-Headers"] = "Name"
# ======================================================================================================================
# Server-Configuration
# ======================================================================================================================
root_path = os.path.dirname(os.path.abspath(__file__))
# Config across REST-API
rest_config = {
"/": {
"request.dispatch": cherrypy.dispatch.MethodDispatcher(),
"tools.CORS.on": True,
"tools.response_headers.on": True
}
}
# ======================================================================================================================
# MAIN-Routine
# ======================================================================================================================
if __name__ == "__main__":
# 0) init config and app objects
config = TestlinkConfig.TestlinkConfig()
app = TestlinkApplication.TestlinkApplication(config)
# 1) Expose url
# ==========================
cherrypy.tree.mount(app, "/tl2qft", config=rest_config)
# 2) Advanced config
# ===========================
cherrypy.tools.secureheaders = cherrypy.Tool("before_finalize", secure_headers, priority=60)
cherrypy.tools.CORS = cherrypy.Tool("before_handler", CORS)
cherrypy.config.update({
"server.socket_port": 3110,
"server.socket_host": "0.0.0.0"
})
# 3) Start server
# =================
cherrypy.engine.start()
cherrypy.engine.block()