This repository was archived by the owner on Mar 9, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathserver.py
More file actions
executable file
·95 lines (75 loc) · 3.79 KB
/
server.py
File metadata and controls
executable file
·95 lines (75 loc) · 3.79 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
"""
server.py
Copyright (C) 2021-2023, VISUS Health IT GmbH
This software and supporting documentation were developed by
VISUS Health IT GmbH
Gesundheitscampus-Sued 15
D-44801 Bochum, Germany
http://www.visus.com
mailto:info@visus.com
-> see LICENCE at root of repository
"""
import os
import cherrypy
from app import MultiProjectJob, SingleProjectJob
# ======================================================================================================================
# Server-Tools
# ======================================================================================================================
def secure_headers():
"""
Fuegt jeder Antwort an den Client sicherheitsrelevante HTTP-Header hinzu
1) Strict-Transport-Security -> nur Refresh einer Seite inklusive Subdomains
2) X-Frame-Options -> Einbettung verbieten
3) X-XSS-Protection -> Cross Site Scripting entgegenwirken
4) X-Content-Type-Options -> beim Daten hochladen nicht austricksen lassen
5) Content-Security-Policy -> Sicherheit gegen Attacken bieten
6) Server -> von CherryPy gesetztes Feld, das Info ueber Server enthaelt, leeren
7) X-Permitted-Cross-Domain-Policies -> Einbindung Webseiten-Inhalte in irgendeiner Form verbieten
"""
cherrypy.response.headers["Strict-Transport-Security"] = "max-age=31536000; includeSubDomains"
cherrypy.response.headers["X-Frame-Options"] = "DENY"
cherrypy.response.headers["X-XSS-Protection"] = "1; mode=block"
cherrypy.response.headers["X-Content-Type-Options"] = "nosniff"
cherrypy.response.headers["Content-Security-Policy"] = "default-app 'self'"
cherrypy.response.headers["Server"] = "none"
cherrypy.response.headers["X-Permitted-Cross-Domain-Policies"] = "none"
def CORS():
""" Handhabt CORS (Cross-Origin-Resource-Sharing) bei JavaScript-Requests """
cherrypy.response.headers["Access-Control-Allow-Origin"] = "*"
# ======================================================================================================================
# Server-Konfiguration
# ======================================================================================================================
root_path = os.path.dirname(os.path.abspath(__file__))
# Konfigurationen fuer alle REST-Schnittstellen
rest_config = {
"/": {
"request.dispatch": cherrypy.dispatch.MethodDispatcher(),
"tools.CORS.on": True
}
}
# ======================================================================================================================
# MAIN-Routine
# ======================================================================================================================
if __name__ == "__main__":
# 1) Einbinden der URL-Pfade
# ==========================
cherrypy.tree.mount(MultiProjectJob("REPLACE_ME_1", root_path), "/REPLACE_ME_1", config=rest_config)
# ^
# add additional multi project jobs here after initializing the databases
cherrypy.tree.mount(SingleProjectJob("REPLACE_ME_2", root_path), "/REPLACE_ME_2", config=rest_config)
# ^
# add additional single project jobs here after initializing the databases
# 2) Erweiterte Konfiguration
# ===========================
cherrypy.tools.secureheaders = cherrypy.Tool("before_finalize", secure_headers, priority=60)
cherrypy.tools.CORS = cherrypy.Tool("before_handler", CORS)
cherrypy.config.update({
"server.socket_port": 12346,
"server.socket_host": "0.0.0.0"
})
# 3) Server starten
# =================
cherrypy.engine.start()
cherrypy.engine.block()