Merge pull request #1925 from GSA/main

8/21/2025 Production Deploy

Author: ccostino

.ds.baseline

@@ -257,7 +257,7 @@
         "filename": "tests/app/db.py",
         "hashed_secret": "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8",
         "is_verified": false,
-        "line_number": 90,
+        "line_number": 91,
         "is_secret": false
       }
     ],
@@ -374,5 +374,5 @@
       }
     ]
   },
-  "generated_at": "2025-07-02T18:56:01Z"
+  "generated_at": "2025-08-12T18:08:49Z"
 }

Makefile

@@ -70,7 +70,7 @@ run-celery: ## Run celery, TODO remove purge for staging/prod
 		-A run_celery.notify_celery worker \
 		--pidfile="/tmp/celery.pid" \
 		--loglevel=INFO \
-		--pool=eventlet
+		--pool=gevent
 		--concurrency=20
 
 

README.md

@@ -39,7 +39,7 @@ You will need the following items:
 This project currently works with these major versions of the following main
 components:
 
-- Python 3.13.x
+- Python 3.12.x
 - PostgreSQL 15.x (version 12.x is used in the hosted environments)
 
 These instructions will walk you through how to set your machine up with all of
@@ -117,7 +117,7 @@ configuration after installation to get working out of the box:
 - [jq](https://stedolan.github.io/jq/) - for working with JSON in the command
   line
 - [git](https://git-scm.com/) - for version control management
-- [tfenv](https://github.com/tfutils/tfenv) - for managing
+- [tenv](https://github.com/tofuutils/tenv) - for managing
   [Terraform](https://www.terraform.io/) installations
 - [cf-cli@8](https://docs.cloudfoundry.org/cf-cli/install-go-cli.html) - for
   working with a Cloud Foundry platform (e.g., cloud.gov)
@@ -136,15 +136,19 @@ brew install jq git tfenv cloudfoundry/tap/cf-cli@8 redis vim wget
 
 #### Terraform Installation
 
-As a part of the installation above, you just installed `tfenv` to manage
+As a part of the installation above, you just installed `tenv` to manage
 Terraform installations. This is great, but you still need to install Terraform
 itself, which can be done with this command:
 
 ```sh
-tfenv install "latest:^1.7"
-tfenv use 1.7.x # x = the patch version installed
+tenv
 ```
 
+This will open a menu for you; choose Terraform, then choose the latest stable
+version.
+
+_NOTE: This project currently uses the latest `1.12.x release of Terraform._
+
 #### Python Installation
 
 Now we're going to install a tool to help us manage Python versions and
@@ -174,12 +178,12 @@ session to make the changes take effect.
 Now we're ready to install the Python version we need with `pyenv`, like so:
 
 ```sh
-pyenv install 3.13
+pyenv install 3.12
 ```
 
-This will install the latest version of Python 3.13.
+This will install the latest version of Python 3.12.
 
-_NOTE: This project currently runs on Python 3.13.x._
+_NOTE: This project currently runs on Python 3.12.x._
 
 #### Python Dependency Installation
 
@@ -313,10 +317,10 @@ If you're upgrading an existing project to a newer version of Python, you can
 follow these steps to get yourself up-to-date.
 
 First, use `pyenv` to install the newer version of Python you'd like to use;
-we'll use `3.13` in our example here since we recently upgraded to this version:
+we'll use `3.12` in our example here since we recently upgraded to this version:
 
 ```sh
-pyenv install 3.13
+pyenv install 3.12
 ```
 
 Next, delete the virtual environment you previously had set up. If you followed

app/__init__.py

@@ -9,7 +9,14 @@
 from time import monotonic
 
 from celery import Celery, Task, current_task
-from flask import current_app, g, has_request_context, jsonify, make_response, request
+from flask import (
+    current_app,
+    g,
+    has_request_context,
+    jsonify,
+    make_response,
+    request,
+)
 from flask.ctx import has_app_context
 from flask_migrate import Migrate
 from flask_socketio import SocketIO
@@ -294,15 +301,44 @@ def record_request_details():
         g.start = monotonic()
         g.endpoint = request.endpoint
 
+    @app.before_request
+    def handle_options():
+        if request.method == "OPTIONS":
+            response = make_response("", 204)
+            response.headers["Access-Control-Allow-Origin"] = "*"
+            response.headers["Access-Control-Allow-Methods"] = (
+                "GET, POST, PUT, DELETE, OPTIONS"
+            )
+            response.headers["Access-Control-Allow-Headers"] = (
+                "Content-Type, Authorization"
+            )
+            response.headers["Access-Control-Max-Age"] = "3600"
+            return response
+
     @app.after_request
     def after_request(response):
+        # Security headers for government compliance
         response.headers.add("X-Content-Type-Options", "nosniff")
+        response.headers.add("X-Frame-Options", "DENY")
+        response.headers.add("X-XSS-Protection", "1; mode=block")
+        response.headers.add("Referrer-Policy", "strict-origin-when-cross-origin")
+        response.headers.add(
+            "Permissions-Policy", "geolocation=(), microphone=(), camera=()"
+        )
 
-        # Some dynamic scan findings
+        # CORS-related security headers
         response.headers.add("Cross-Origin-Opener-Policy", "same-origin")
         response.headers.add("Cross-Origin-Embedder-Policy", "require-corp")
         response.headers.add("Cross-Origin-Resource-Policy", "same-origin")
-        response.headers.add("Cross-Origin-Opener-Policy", "same-origin")
+
+        if not request.path.startswith("/docs"):
+            response.headers.add(
+                "Content-Security-Policy", "default-src 'none'; frame-ancestors 'none';"
+            )
+
+        response.headers.add(
+            "Strict-Transport-Security", "max-age=31536000; includeSubDomains"
+        )
 
         return response
 
@@ -352,15 +388,18 @@ def setup_sqlalchemy_events(app):
     with app.app_context():
 
         @event.listens_for(db.engine, "connect")
-        def connect(dbapi_connection, connection_record):  # noqa
+        def connect(dbapi_connection, connection_record):
+            current_app.logger.debug(f"Using {dbapi_connection} {connection_record}")
             pass
 
         @event.listens_for(db.engine, "close")
-        def close(dbapi_connection, connection_record):  # noqa
+        def close(dbapi_connection, connection_record):
             pass
 
         @event.listens_for(db.engine, "checkout")
-        def checkout(dbapi_connection, connection_record, connection_proxy):  # noqa
+        def checkout(dbapi_connection, connection_record, connection_proxy):
+            current_app.logger.debug(f"Using {dbapi_connection} {connection_proxy}")
+
             try:
                 # this will overwrite any previous checkout_at timestamp
                 connection_record.info["checkout_at"] = time.monotonic()
@@ -401,7 +440,7 @@ def checkout(dbapi_connection, connection_record, connection_proxy):  # noqa
                 )
 
         @event.listens_for(db.engine, "checkin")
-        def checkin(dbapi_connection, connection_record):  # noqa
+        def checkin(dbapi_connection, connection_record):
             pass
 
 
@@ -428,7 +467,7 @@ def app_context(self):
                 g.request_id = self.request_id
                 yield
 
-        def on_success(self, retval, task_id, args, kwargs):  # noqa
+        def on_success(self, retval, task_id, args, kwargs):
             # enables request id tracing for these logs
             with self.app_context():
                 elapsed_time = time.monotonic() - self.start
@@ -441,9 +480,11 @@ def on_success(self, retval, task_id, args, kwargs):  # noqa
                     )
                 )
 
-        def on_failure(self, exc, task_id, args, kwargs, einfo):  # noqa
+        def on_failure(self, exc, task_id, args, kwargs, einfo):
+
             # enables request id tracing for these logs
             with self.app_context():
+                app.logger.debug(f"einfo is {einfo}")
                 app.logger.exception(
                     "Celery task {task_name} (queue: {queue_name}) failed".format(
                         task_name=self.name,