PEPPER-978 and PEPPER-979 adding a few headers as per appsec. (#2882)

broadinstitute · May 31, 2024 · 1d22791 · 1d22791
1 parent 7a3aa64
commit 1d22791
Showing 1 changed file with 8 additions and 0 deletions.
diff --git a/...r-apis/ddp-common/src/main/java/org/broadinstitute/ddp/appengine/spark/SparkBootUtil.java b/...r-apis/ddp-common/src/main/java/org/broadinstitute/ddp/appengine/spark/SparkBootUtil.java
@@ -98,6 +98,14 @@ public static void startSparkServer(AppEngineShutdown stopRouteCallback, Config
                 stopRouteCallback.onTerminate();
             }));
         }
+
+        Spark.afterAfter((req, res) -> {
+            // enable hsts
+            res.header("Strict-Transport-Security", "max-age=63072000; includeSubDomains; preload");
+            // assume everything is sensitive and don't allow browser caching
+            res.header("Cache-control", "no-store");
+            res.header("Pragma", "no-cache");
+        });
     }
 
     public static boolean isShuttingDown() {