Add Strict-Transport-Security (HSTS) Header to Enforce HTTPS

[mdwRepository]

Issue Summary

Our Flask application currently does not set the Strict-Transport-Security (HSTS) header, which results in a security warning. The absence of this header means that browsers do not have instructions to enforce HTTPS-only communication with our server, potentially exposing users to protocol downgrade attacks and cookie hijacking.

HTTP/1.1 200 OK
Server: gunicorn
Date: Tue, 12 Nov 2024 14:17:10 GMT
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 9357
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: frame-ancestors 'self'
X-Content-Type-Options: nosniff

Objective

Implement the Strict-Transport-Security header in our Flask application to enforce HTTPS-only communication and address the security warning.

[sszepe]

Proposed Solution

Add the HSTS header globally to all responses in the Flask app via an @after_request function, as shown below:

@app.after_request
def apply_hsts(response: Response) -> Response:
    # Enforce HTTPS-only communication for 1 year (in seconds)
    # `includeSubDomains` applies HSTS to all subdomains.
    response.headers['Strict-Transport-Security'] = 'max-age=31536000; includeSubDomains'
    return response

Explanation of HSTS Header Options

• max-age=31536000: Sets the HSTS policy duration to 1 year (31536000 seconds).
• includeSubDomains: Ensures HSTS applies to all subdomains, enhancing security across our entire domain.