Merge branch 'main' into feature/eja-eli-434-adding-owasp-dependency-scan

Author: eddalmond1

docs/security-headers.md

@@ -0,0 +1,48 @@
+# Security Headers Implementation
+
+This document describes the implementation of security headers for the Eligibility Signposting API.
+
+## Overview
+
+Security headers have been implemented using a two-layer approach:
+
+1. **API Gateway Responses** (Terraform) - For error responses (4xx, 5xx) generated by API Gateway
+2. **Flask middleware** (Python) - For all successful responses (200, 201, etc.) from the Lambda function
+
+This ensures security headers are present on **all** responses, regardless of where they originate.
+
+## Security Headers
+
+The following security headers are applied to all responses:
+
+| Header | Value | Purpose |
+|--------|-------|---------|
+| `Cache-Control` | `no-store, private` | Prevents caching of sensitive data |
+| `Strict-Transport-Security` | `max-age=31536000; includeSubDomains` | Enforces HTTPS for 1 year on all subdomains |
+| `X-Content-Type-Options` | `nosniff` | Prevents MIME type sniffing |
+
+## Implementation Details
+
+### 1. API Gateway Responses (Terraform)
+
+File: `infrastructure/stacks/api-layer/gateway_responses.tf`
+
+Gateway responses handle error responses generated by API Gateway itself (e.g., validation failures, authorization errors, throttling).
+
+The following response types have been configured:
+
+- `DEFAULT_4XX` - All 4xx errors
+- `DEFAULT_5XX` - All 5xx errors
+- `UNAUTHORIZED` (401)
+- `ACCESS_DENIED` (403)
+- `THROTTLED` (429)
+
+### 2. Flask middleware
+
+Files:
+
+- `src/eligibility_signposting_api/middleware/security_headers.py` - middleware implementation
+- `src/eligibility_signposting_api/middleware/__init__.py` - Package exports
+- `src/eligibility_signposting_api/app.py` - middleware registration
+
+The middleware uses Flask's `after_request` hook to add security headers to all responses from the Lambda function. It's non-overriding: Allows specific endpoints to override headers if needed

infrastructure/stacks/api-layer/gateway_responses.tf

@@ -0,0 +1,61 @@
+# Gateway Responses with Security Headers
+# These responses are used when API Gateway itself returns an error (e.g., validation failures, auth errors)
+# They ensure security headers are present even on API Gateway-generated error responses
+
+resource "aws_api_gateway_gateway_response" "response_4xx" {
+  rest_api_id   = module.eligibility_signposting_api_gateway.rest_api_id
+  response_type = "DEFAULT_4XX"
+
+  response_parameters = {
+    "gatewayresponse.header.Cache-Control"             = "'no-store, private'"
+    "gatewayresponse.header.Strict-Transport-Security" = "'max-age=31536000; includeSubDomains'"
+    "gatewayresponse.header.X-Content-Type-Options"    = "'nosniff'"
+  }
+}
+
+resource "aws_api_gateway_gateway_response" "response_5xx" {
+  rest_api_id   = module.eligibility_signposting_api_gateway.rest_api_id
+  response_type = "DEFAULT_5XX"
+
+  response_parameters = {
+    "gatewayresponse.header.Cache-Control"             = "'no-store, private'"
+    "gatewayresponse.header.Strict-Transport-Security" = "'max-age=31536000; includeSubDomains'"
+    "gatewayresponse.header.X-Content-Type-Options"    = "'nosniff'"
+  }
+}
+
+resource "aws_api_gateway_gateway_response" "unauthorized" {
+  rest_api_id   = module.eligibility_signposting_api_gateway.rest_api_id
+  response_type = "UNAUTHORIZED"
+  status_code   = "401"
+
+  response_parameters = {
+    "gatewayresponse.header.Cache-Control"             = "'no-store, private'"
+    "gatewayresponse.header.Strict-Transport-Security" = "'max-age=31536000; includeSubDomains'"
+    "gatewayresponse.header.X-Content-Type-Options"    = "'nosniff'"
+  }
+}
+
+resource "aws_api_gateway_gateway_response" "access_denied" {
+  rest_api_id   = module.eligibility_signposting_api_gateway.rest_api_id
+  response_type = "ACCESS_DENIED"
+  status_code   = "403"
+
+  response_parameters = {
+    "gatewayresponse.header.Cache-Control"             = "'no-store, private'"
+    "gatewayresponse.header.Strict-Transport-Security" = "'max-age=31536000; includeSubDomains'"
+    "gatewayresponse.header.X-Content-Type-Options"    = "'nosniff'"
+  }
+}
+
+resource "aws_api_gateway_gateway_response" "throttled" {
+  rest_api_id   = module.eligibility_signposting_api_gateway.rest_api_id
+  response_type = "THROTTLED"
+  status_code   = "429"
+
+  response_parameters = {
+    "gatewayresponse.header.Cache-Control"             = "'no-store, private'"
+    "gatewayresponse.header.Strict-Transport-Security" = "'max-age=31536000; includeSubDomains'"
+    "gatewayresponse.header.X-Content-Type-Options"    = "'nosniff'"
+  }
+}

infrastructure/stacks/api-layer/patient_check.tf

@@ -112,5 +112,8 @@ resource "aws_api_gateway_gateway_response" "bad_request_parameters" {
   response_parameters = {
     "gatewayresponse.header.Access-Control-Allow-Origin" = "'*'"
     "gatewayresponse.header.Content-Type"                = "'application/fhir+json'"
+    "gatewayresponse.header.Cache-Control"               = "'no-store, private'"
+    "gatewayresponse.header.Strict-Transport-Security"   = "'max-age=31536000; includeSubDomains'"
+    "gatewayresponse.header.X-Content-Type-Options"      = "'nosniff'"
   }
 }

scripts/config/vale/styles/config/vocabularies/words/accept.txt

@@ -8,6 +8,8 @@ Gitleaks
 Grype
 idempotence
 Makefile
+Middleware
+middleware
 OAuth
 Octokit
 onboarding

src/eligibility_signposting_api/app.py

@@ -17,6 +17,7 @@
 from eligibility_signposting_api.logging.logs_helper import log_request_ids_from_headers
 from eligibility_signposting_api.logging.logs_manager import add_lambda_request_id_to_logger, init_logging
 from eligibility_signposting_api.logging.tracing_helper import tracing_setup
+from eligibility_signposting_api.middleware import SecurityHeadersMiddleware
 from eligibility_signposting_api.views import eligibility_blueprint
 
 if os.getenv("ENABLE_XRAY_PATCHING"):
@@ -62,6 +63,9 @@ def create_app() -> Flask:
     app = Flask(__name__)
     logger.info("app created")
 
+    # Register security headers middleware
+    SecurityHeadersMiddleware(app)
+
     # Register views & error handler
     app.register_blueprint(eligibility_blueprint, url_prefix=f"/{URL_PREFIX}")
     app.register_error_handler(Exception, handle_exception)

src/eligibility_signposting_api/middleware/__init__.py

@@ -0,0 +1,5 @@
+"""Middleware package for the Eligibility Signposting API."""
+
+from eligibility_signposting_api.middleware.security_headers import SecurityHeadersMiddleware
+
+__all__ = ["SecurityHeadersMiddleware"]

src/eligibility_signposting_api/middleware/security_headers.py

@@ -0,0 +1,60 @@
+"""Security headers middleware for Flask application.
+
+This middleware adds security headers to all responses from the Lambda function.
+These headers are applied to successful responses (200, 201, etc.) from the application.
+
+For API Gateway error responses (4xx, 5xx generated by API Gateway itself),
+see gateway_responses.tf in the infrastructure configuration.
+"""
+
+from typing import ClassVar
+
+from flask import Flask, Response
+
+
+class SecurityHeadersMiddleware:
+    """Middleware to add security headers to all Flask responses."""
+
+    # Security headers recommended for NHS APIs
+    SECURITY_HEADERS: ClassVar[dict[str, str]] = {
+        "Cache-Control": "no-store, private",
+        "Strict-Transport-Security": "max-age=31536000; includeSubDomains",
+        "X-Content-Type-Options": "nosniff",
+    }
+
+    def __init__(self, app: Flask | None = None) -> None:
+        """Initialize the middleware.
+
+        Args:
+            app: Flask application instance. Can be provided later via init_app()
+        """
+        if app is not None:
+            self.init_app(app)
+
+    def init_app(self, app: Flask) -> None:
+        """Initialize the middleware with a Flask application.
+
+        Args:
+            app: Flask application instance to apply middleware to
+        """
+        app.after_request(self.add_security_headers)
+
+    @classmethod
+    def add_security_headers(cls, response: Response) -> Response:
+        """Add security headers to the Flask response.
+
+        This is called automatically by Flask after each request.
+
+        Args:
+            response: Flask response object
+
+        Returns:
+            Modified response object with security headers added
+        """
+        for header, value in cls.SECURITY_HEADERS.items():
+            # Only add header if it doesn't already exist
+            # This allows specific endpoints to override if needed
+            if header not in response.headers:
+                response.headers[header] = value
+
+        return response

tests/unit/middleware/__init__.py

@@ -0,0 +1 @@
+"""Tests for middleware components."""

tests/unit/middleware/test_security_headers.py

@@ -0,0 +1,166 @@
+"""Tests for security headers middleware."""
+
+from http import HTTPStatus
+
+import pytest
+from flask import Flask
+from flask.testing import FlaskClient
+from hamcrest import assert_that, contains_string, equal_to, has_entries, is_
+
+from eligibility_signposting_api.middleware import SecurityHeadersMiddleware
+
+
+class MiddlewareTestError(Exception):
+    """Custom exception for middleware error handling tests."""
+
+
+@pytest.fixture
+def test_app() -> Flask:
+    """Create a test Flask app with security headers middleware."""
+    app = Flask(__name__)
+    SecurityHeadersMiddleware(app)
+
+    @app.route("/test")
+    def test_route():
+        return {"status": "ok"}, HTTPStatus.OK
+
+    @app.route("/error")
+    def error_route():
+        msg = "Test error"
+        raise MiddlewareTestError(msg)
+
+    @app.errorhandler(MiddlewareTestError)
+    def handle_value_error(e):
+        return {"error": str(e)}, HTTPStatus.INTERNAL_SERVER_ERROR
+
+    return app
+
+
+@pytest.fixture
+def client(test_app: Flask) -> FlaskClient:
+    """Create a test client."""
+    return test_app.test_client()
+
+
+class TestSecurityHeadersMiddleware:
+    """Test suite for SecurityHeadersMiddleware."""
+
+    def test_security_headers_present_on_successful_response(self, client: FlaskClient) -> None:
+        """Test that security headers are added to successful responses."""
+        response = client.get("/test")
+
+        assert_that(response.status_code, is_(equal_to(HTTPStatus.OK)))
+        assert_that(
+            dict(response.headers),
+            has_entries(
+                {
+                    "Cache-Control": "no-store, private",
+                    "Strict-Transport-Security": "max-age=31536000; includeSubDomains",
+                    "X-Content-Type-Options": "nosniff",
+                }
+            ),
+        )
+
+    def test_security_headers_present_on_error_response(self, client: FlaskClient) -> None:
+        """Test that security headers are added to error responses."""
+        response = client.get("/error")
+
+        assert_that(response.status_code, is_(equal_to(HTTPStatus.INTERNAL_SERVER_ERROR)))
+        assert_that(
+            dict(response.headers),
+            has_entries(
+                {
+                    "Cache-Control": "no-store, private",
+                    "Strict-Transport-Security": "max-age=31536000; includeSubDomains",
+                    "X-Content-Type-Options": "nosniff",
+                }
+            ),
+        )
+
+    def test_security_headers_present_on_404(self, client: FlaskClient) -> None:
+        """Test that security headers are added to 404 responses."""
+        response = client.get("/nonexistent")
+
+        assert_that(response.status_code, is_(equal_to(HTTPStatus.NOT_FOUND)))
+        assert_that(
+            dict(response.headers),
+            has_entries(
+                {
+                    "Cache-Control": "no-store, private",
+                    "Strict-Transport-Security": "max-age=31536000; includeSubDomains",
+                    "X-Content-Type-Options": "nosniff",
+                }
+            ),
+        )
+
+    def test_all_expected_headers_are_present(self, client: FlaskClient) -> None:
+        """Test that all expected security headers are present."""
+        response = client.get("/test")
+
+        expected_headers = {
+            "Cache-Control",
+            "Strict-Transport-Security",
+            "X-Content-Type-Options",
+        }
+
+        response_headers = set(response.headers.keys())
+        assert expected_headers.issubset(response_headers), (
+            f"Missing security headers: {expected_headers - response_headers}"
+        )
+
+    def test_cache_control_prevents_caching(self, client: FlaskClient) -> None:
+        """Test that Cache-Control header prevents caching of sensitive data."""
+        response = client.get("/test")
+
+        cache_control = response.headers.get("Cache-Control")
+        assert_that(cache_control, contains_string("no-store"))
+        assert_that(cache_control, contains_string("private"))
+
+    def test_hsts_header_enforces_https(self, client: FlaskClient) -> None:
+        """Test that HSTS header is properly configured."""
+        response = client.get("/test")
+
+        hsts = response.headers.get("Strict-Transport-Security")
+        assert_that(hsts, contains_string("max-age=31536000"))
+        assert_that(hsts, contains_string("includeSubDomains"))
+
+    def test_content_type_options_prevents_sniffing(self, client: FlaskClient) -> None:
+        """Test that X-Content-Type-Options prevents MIME sniffing."""
+        response = client.get("/test")
+
+        content_type_options = response.headers.get("X-Content-Type-Options")
+        assert_that(content_type_options, is_(equal_to("nosniff")))
+
+    def test_middleware_init_app_method(self) -> None:
+        """Test that middleware can be initialized separately using init_app."""
+        app = Flask(__name__)
+        middleware = SecurityHeadersMiddleware()
+        middleware.init_app(app)
+
+        @app.route("/test")
+        def test_route():
+            return {"status": "ok"}, HTTPStatus.OK
+
+        with app.test_client() as client:
+            response = client.get("/test")
+            assert_that(response.headers.get("Cache-Control"), is_(equal_to("no-store, private")))
+
+    def test_existing_headers_are_not_overridden(self) -> None:
+        """Test that existing headers are not overridden by middleware."""
+        app = Flask(__name__)
+        SecurityHeadersMiddleware(app)
+
+        @app.route("/test")
+        def test_route():
+            from flask import make_response
+
+            resp = make_response({"status": "ok"}, HTTPStatus.OK)
+            resp.headers["Cache-Control"] = "public, max-age=3600"
+            return resp
+
+        with app.test_client() as client:
+            response = client.get("/test")
+            # Should keep the custom Cache-Control value
+            assert_that(response.headers.get("Cache-Control"), is_(equal_to("public, max-age=3600")))
+            # But other headers should still be added
+            assert_that(response.headers.get("X-Content-Type-Options"), is_(equal_to("nosniff")))