Feat(Security):

a. Update CORS settings b. Update session cookie settings c. Remove comments that expose project architecture (and that Claude made most of it :P)
2025-01-25 14:31:34 +00:00
parent fa7cee646a
commit 9ff01b9197
7 changed files with 22 additions and 87 deletions
--- a/app.py
+++ b/app.py
@@ -29,7 +29,7 @@ from controllers.store.stock_item import routes_store_stock_item
 from controllers.store.supplier import routes_store_supplier
 from controllers.store.supplier_purchase_order import routes_store_supplier_purchase_order
 from controllers.user import routes_user
-from extensions import db, csrf, cors, mail, oauth
+from extensions import db, csrf, mail, oauth
 from helpers.helper_app import Helper_App
 # external
 from flask import Flask, render_template, jsonify, request,  render_template_string, send_from_directory, redirect, url_for, session
@@ -82,12 +82,13 @@ def make_session_permanent():
    session.permanent = True

 csrf = CSRFProtect()
-"""
-cors = CORS()
-db = SQLAlchemy()
-mail = Mail()
-oauth = OAuth()
-"""
+cors = CORS(app, resources={
+    r"/static/*": {
+        "origins": [app.config["URL_HOST"]],
+        "methods": ["GET"],
+        "max_age": 3600
+    }
+})

 csrf.init_app(app)
 cors.init_app(app)
@@ -132,4 +133,14 @@ app.register_blueprint(routes_user)
@app.template_filter('console_log')
 def console_log(value):
    Helper_App.console_log(value)
-    return value
+    return value
+
+@app.after_request
+def add_cache_headers(response):
+    if request.path.startswith('/static/'):
+        # Cache static assets
+        response.headers['Cache-Control'] = 'public, max-age=31536000'
+    else:
+        # No caching for dynamic content
+        response.headers['Cache-Control'] = 'no-store, no-cache, must-revalidate, max-age=0'
+    return response