From 1bb30b690a2ed183c3c88260e107fd802115137a Mon Sep 17 00:00:00 2001 From: Joe Fong <127404525+joefong-nhs@users.noreply.github.com> Date: Tue, 21 Nov 2023 14:06:52 +0000 Subject: [PATCH] PRMDR 492 Implement Strict Transport Security headers (#151) * [PRMDR-492] Add Strict-Transport-Security header to nginx config and lambda response, add a makefile recipe to rebuild docker image * [PRMDR-492] Amend hsts max-age to 2 years (follow the value from nhs official page) * [PRMDR-492] Fix non-working tests from main --- Makefile | 3 +++ app/docker/nginx.conf | 21 ++++++++++--------- .../handlers/bulk_upload_metadata_handler.py | 8 ++----- lambdas/services/bulk_upload_service.py | 15 ++++++------- .../test_search_patient_details_handler.py | 4 ++++ lambdas/utils/lambda_response.py | 1 + 6 files changed, 27 insertions(+), 25 deletions(-) diff --git a/Makefile b/Makefile index a418eb2d2..5937ac79e 100644 --- a/Makefile +++ b/Makefile @@ -95,6 +95,9 @@ build-env-check: docker-up: docker-compose -f ./app/docker-compose.yml up -d +docker-up-rebuild: + docker-compose -f ./app/docker-compose.yml up -d --build --force-recreate + docker-down: docker-compose -f ./app/docker-compose.yml down diff --git a/app/docker/nginx.conf b/app/docker/nginx.conf index fb42aeac8..47e3a3695 100644 --- a/app/docker/nginx.conf +++ b/app/docker/nginx.conf @@ -1,14 +1,15 @@ events { - worker_connections 4096; ## Default: 1024 + worker_connections 4096; ## Default: 1024 } http { - server { - listen 80; - location / { - root /usr/share/nginx/html; - index index.html index.htm; - include /etc/nginx/mime.types; - try_files $uri $uri/ /index.html$is_args$args; - } - } + server { + listen 80; + add_header Strict-Transport-Security "max-age=63072000" always; + location / { + root /usr/share/nginx/html; + index index.html index.htm; + include /etc/nginx/mime.types; + try_files $uri $uri/ /index.html$is_args$args; + } + } } \ No newline at end of file diff --git a/lambdas/handlers/bulk_upload_metadata_handler.py b/lambdas/handlers/bulk_upload_metadata_handler.py index 357d3785c..b909a20e8 100644 --- a/lambdas/handlers/bulk_upload_metadata_handler.py +++ b/lambdas/handlers/bulk_upload_metadata_handler.py @@ -5,12 +5,8 @@ import pydantic from botocore.exceptions import ClientError -from models.staging_metadata import ( - METADATA_FILENAME, - NHS_NUMBER_FIELD_NAME, - MetadataFile, - StagingMetadata, -) +from models.staging_metadata import (METADATA_FILENAME, NHS_NUMBER_FIELD_NAME, + MetadataFile, StagingMetadata) from services.s3_service import S3Service from services.sqs_service import SQSService from utils.audit_logging_setup import LoggingService diff --git a/lambdas/services/bulk_upload_service.py b/lambdas/services/bulk_upload_service.py index a581761e9..562e74f36 100644 --- a/lambdas/services/bulk_upload_service.py +++ b/lambdas/services/bulk_upload_service.py @@ -11,15 +11,12 @@ from services.s3_service import S3Service from services.sqs_service import SQSService from utils.audit_logging_setup import LoggingService -from utils.exceptions import ( - DocumentInfectedException, - InvalidMessageException, - S3FileNotFoundException, - TagNotFoundException, - VirusScanFailedException, - VirusScanNoResultException, -) -from utils.lloyd_george_validator import LGInvalidFilesException, validate_lg_file_names +from utils.exceptions import (DocumentInfectedException, + InvalidMessageException, S3FileNotFoundException, + TagNotFoundException, VirusScanFailedException, + VirusScanNoResultException) +from utils.lloyd_george_validator import (LGInvalidFilesException, + validate_lg_file_names) from utils.utilities import create_reference_id logger = LoggingService(__name__) diff --git a/lambdas/tests/unit/handlers/test_search_patient_details_handler.py b/lambdas/tests/unit/handlers/test_search_patient_details_handler.py index 082a5ee3e..745b68994 100644 --- a/lambdas/tests/unit/handlers/test_search_patient_details_handler.py +++ b/lambdas/tests/unit/handlers/test_search_patient_details_handler.py @@ -51,6 +51,7 @@ def test_lambda_handler_valid_id_returns_200( "Access-Control-Allow-Methods": "GET", "Access-Control-Allow-Origin": "*", "Content-Type": "application/fhir+json", + "Strict-Transport-Security": "max-age=63072000", }, "isBase64Encoded": False, "statusCode": 200, @@ -78,6 +79,7 @@ def test_lambda_handler_invalid_id_returns_400( "Content-Type": "application/fhir+json", "Access-Control-Allow-Origin": "*", "Access-Control-Allow-Methods": "GET", + "Strict-Transport-Security": "max-age=63072000", }, "isBase64Encoded": False, "statusCode": 400, @@ -112,6 +114,7 @@ def test_lambda_handler_valid_id_not_in_pds_returns_404( "Content-Type": "application/fhir+json", "Access-Control-Allow-Origin": "*", "Access-Control-Allow-Methods": "GET", + "Strict-Transport-Security": "max-age=63072000", }, "isBase64Encoded": False, "statusCode": 404, @@ -131,6 +134,7 @@ def test_lambda_handler_missing_id_in_query_params_returns_400( "Content-Type": "application/fhir+json", "Access-Control-Allow-Origin": "*", "Access-Control-Allow-Methods": "GET", + "Strict-Transport-Security": "max-age=63072000", }, "isBase64Encoded": False, "statusCode": 400, diff --git a/lambdas/utils/lambda_response.py b/lambdas/utils/lambda_response.py index b1f28fc3c..32535c880 100644 --- a/lambdas/utils/lambda_response.py +++ b/lambdas/utils/lambda_response.py @@ -14,6 +14,7 @@ def create_api_gateway_response(self, headers=None) -> dict: "Content-Type": "application/fhir+json", "Access-Control-Allow-Origin": "*", "Access-Control-Allow-Methods": self.methods, + "Strict-Transport-Security": "max-age=63072000", **headers, }, "body": self.body,