Hi Hackers, Please find the attached patch to fix the below security issues:
- Host Header Injection - Added ALLOWED_HOSTS list to limit host address - Lack of Content Security Policy (CSP) - Added security header - Lack of Protection Mechanisms - HSTS - Added security header - Lack of Cookie Attribute – Secure : Kept as False as secure limits cookies to HTTPS traffic only. - Information Disclosure – Web Server / Development Framework VersionDescription: Kept as hard coded 'Python' instead of exposing wsgi/python/gunicorn version info. Please review and let me know if I have missed anything. Regards, Ganesh Jaybhay
RM5919.patch
Description: Binary data
