PRMDR 492 Implement Strict Transport Security headers (#151)

* [PRMDR-492] Add Strict-Transport-Security header to nginx config and lambda response, add a makefile recipe to rebuild docker image * [PRMDR-492] Amend hsts max-age to 2 years (follow the value from nhs official page) * [PRMDR-492] Fix non-working tests from main
nhsconnect · Nov 21, 2023 · 1bb30b6 · 1bb30b6
1 parent 90e4207
commit 1bb30b6
Show file tree

Hide file tree

Showing 6 changed files with 27 additions and 25 deletions.
diff --git a/Makefile b/Makefile
@@ -95,6 +95,9 @@ build-env-check:
 docker-up:
 	docker-compose -f ./app/docker-compose.yml up -d
 
+docker-up-rebuild:
+	docker-compose -f ./app/docker-compose.yml up -d --build --force-recreate
+
 docker-down:
 	docker-compose -f ./app/docker-compose.yml down
 

diff --git a/app/docker/nginx.conf b/app/docker/nginx.conf
@@ -1,14 +1,15 @@
 events {
-     worker_connections  4096;  ## Default: 1024
+    worker_connections  4096;  ## Default: 1024
 }
 http {
-     server {
-     listen       80;
-          location / {
-               root   /usr/share/nginx/html;
-               index  index.html index.htm;
-               include /etc/nginx/mime.types;
-               try_files $uri $uri/ /index.html$is_args$args;
-          }
-     }    
+    server {
+    listen       80;
+    add_header Strict-Transport-Security "max-age=63072000" always;
+        location / {
+            root   /usr/share/nginx/html;
+            index  index.html index.htm;
+            include /etc/nginx/mime.types;
+            try_files $uri $uri/ /index.html$is_args$args;
+        }
+    }
 }
diff --git a/lambdas/handlers/bulk_upload_metadata_handler.py b/lambdas/handlers/bulk_upload_metadata_handler.py
@@ -5,12 +5,8 @@
 
 import pydantic
 from botocore.exceptions import ClientError
-from models.staging_metadata import (
-    METADATA_FILENAME,
-    NHS_NUMBER_FIELD_NAME,
-    MetadataFile,
-    StagingMetadata,
-)
+from models.staging_metadata import (METADATA_FILENAME, NHS_NUMBER_FIELD_NAME,
+                                     MetadataFile, StagingMetadata)
 from services.s3_service import S3Service
 from services.sqs_service import SQSService
 from utils.audit_logging_setup import LoggingService

diff --git a/lambdas/services/bulk_upload_service.py b/lambdas/services/bulk_upload_service.py
@@ -11,15 +11,12 @@
 from services.s3_service import S3Service
 from services.sqs_service import SQSService
 from utils.audit_logging_setup import LoggingService
-from utils.exceptions import (
-    DocumentInfectedException,
-    InvalidMessageException,
-    S3FileNotFoundException,
-    TagNotFoundException,
-    VirusScanFailedException,
-    VirusScanNoResultException,
-)
-from utils.lloyd_george_validator import LGInvalidFilesException, validate_lg_file_names
+from utils.exceptions import (DocumentInfectedException,
+                              InvalidMessageException, S3FileNotFoundException,
+                              TagNotFoundException, VirusScanFailedException,
+                              VirusScanNoResultException)
+from utils.lloyd_george_validator import (LGInvalidFilesException,
+                                          validate_lg_file_names)
 from utils.utilities import create_reference_id
 
 logger = LoggingService(__name__)

diff --git a/lambdas/tests/unit/handlers/test_search_patient_details_handler.py b/lambdas/tests/unit/handlers/test_search_patient_details_handler.py
@@ -51,6 +51,7 @@ def test_lambda_handler_valid_id_returns_200(
             "Access-Control-Allow-Methods": "GET",
             "Access-Control-Allow-Origin": "*",
             "Content-Type": "application/fhir+json",
+            "Strict-Transport-Security": "max-age=63072000",
         },
         "isBase64Encoded": False,
         "statusCode": 200,
@@ -78,6 +79,7 @@ def test_lambda_handler_invalid_id_returns_400(
             "Content-Type": "application/fhir+json",
             "Access-Control-Allow-Origin": "*",
             "Access-Control-Allow-Methods": "GET",
+            "Strict-Transport-Security": "max-age=63072000",
         },
         "isBase64Encoded": False,
         "statusCode": 400,
@@ -112,6 +114,7 @@ def test_lambda_handler_valid_id_not_in_pds_returns_404(
             "Content-Type": "application/fhir+json",
             "Access-Control-Allow-Origin": "*",
             "Access-Control-Allow-Methods": "GET",
+            "Strict-Transport-Security": "max-age=63072000",
         },
         "isBase64Encoded": False,
         "statusCode": 404,
@@ -131,6 +134,7 @@ def test_lambda_handler_missing_id_in_query_params_returns_400(
             "Content-Type": "application/fhir+json",
             "Access-Control-Allow-Origin": "*",
             "Access-Control-Allow-Methods": "GET",
+            "Strict-Transport-Security": "max-age=63072000",
         },
         "isBase64Encoded": False,
         "statusCode": 400,

diff --git a/lambdas/utils/lambda_response.py b/lambdas/utils/lambda_response.py
@@ -14,6 +14,7 @@ def create_api_gateway_response(self, headers=None) -> dict:
                 "Content-Type": "application/fhir+json",
                 "Access-Control-Allow-Origin": "*",
                 "Access-Control-Allow-Methods": self.methods,
+                "Strict-Transport-Security": "max-age=63072000",
                 **headers,
             },
             "body": self.body,