maya-chen/flask
1
0
Fork 0
forked from orbit-oss/flask
Code Pull requests Activity

Suggest only one package, change the sourcecode block to none

Browse source
This commit is contained in:
Lowell Abbott 2017-05-23 01:54:06 -07:00
parent c47f4530a1
commit ee7cb9d6b2
1 changed files with 14 additions and 54 deletions
Download patch file Download diff file Expand all files Collapse all files

68
docs/security.rst
View file

@ -105,49 +105,33 @@ vulnerabilities
this behavior was changed and :func:`~flask.jsonify` now supports serializing this behavior was changed and :func:`~flask.jsonify` now supports serializing
arrays. arrays.
SSL/HTTPS
---------
For implementing HTTPS on your server.
Below are some packages that implement this protocol:
* `flask-talisman <https://github.com/GoogleCloudPlatform/flask-talisman>`_
* `flask-sslify <https://github.com/kennethreitz/flask-sslify>`_
* `flask-secure-headers <https://github.com/twaldear/flask-secure-headers>`_
Security Headers Security Headers
---------------- ----------------
This section contains a list of headers supported by Flask and some packages that implements them. This section contains a list of headers supported by Flask.
To configure HTTPS and handle the headers listed below we suggest the package `flask-talisman <https://github.com/GoogleCloudPlatform/flask-talisman>`.
Content Security Policy (CSP) Content Security Policy (CSP)
----------------------------------------------------------------------------- -----------------------------
Enhance security and prevents common web vulnerabilities such as cross-site scripting and MITM related attacks. Enhance security and prevents common web vulnerabilities such as cross-site scripting and MITM related attacks.
Example: Example:
.. sourcecode:: html .. sourcecode:: none
Content-Security-Policy: default-src https:; script-src 'nonce-{random}'; object-src 'none' Content-Security-Policy: default-src https:; script-src 'nonce-{random}'; object-src 'none'
See also `Content Security Policy <https://csp.withgoogle.com/docs/index.html>`_. See also `Content Security Policy <https://csp.withgoogle.com/docs/index.html>`_.
* `flask-talisman <https://github.com/GoogleCloudPlatform/flask-talisman>`_
* `flask-csp <https://github.com/twaldear/flask-csp>`_
* `flask-secure-headers <https://github.com/twaldear/flask-secure-headers>`_
HTTP Strict Transport Security (HSTS) HTTP Strict Transport Security (HSTS)
------------------------------------------------------------------------------------------------------------------------------ -------------------------------------
Redirects http requests to https on all urls, preventing MITM attacks. Redirects http requests to https on all urls, preventing MITM attacks.
Example: Example:
.. sourcecode:: html .. sourcecode:: none
Strict-Transport-Security: max-age=<expire-time Strict-Transport-Security: max-age=<expire-time
Strict-Transport-Security: max-age=<expire-time>; includeSubDomains Strict-Transport-Security: max-age=<expire-time>; includeSubDomains
@ -155,16 +139,12 @@ Example:
See also `Strict Transport Security <https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security>`_. See also `Strict Transport Security <https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security>`_.
* `flask-talisman <https://github.com/GoogleCloudPlatform/flask-talisman>`_
* `flask-sslify <https://github.com/kennethreitz/flask-sslify>`_
* `flask-secure-headers <https://github.com/twaldear/flask-secure-headers>`_
X-FRAME-OPTIONS (Clickjacking protection) X-FRAME-OPTIONS (Clickjacking protection)
------------------------------------------------------------------------------------------------------------------------- -----------------------------------------
Prevents the client from clicking page elements outside of the website, avoiding hijacking or UI redress attacks. Prevents the client from clicking page elements outside of the website, avoiding hijacking or UI redress attacks.
.. sourcecode:: html .. sourcecode:: none
X-Frame-Options: DENY X-Frame-Options: DENY
X-Frame-Options: SAMEORIGIN X-Frame-Options: SAMEORIGIN
@ -172,59 +152,39 @@ Prevents the client from clicking page elements outside of the website, avoiding
See also `X-Frame-Options <https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options>`_. See also `X-Frame-Options <https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options>`_.
* `flask-talisman <https://github.com/GoogleCloudPlatform/flask-talisman>`_
* `flask-secure-headers <https://github.com/twaldear/flask-secure-headers>`_
X-Content-Type-Options X-Content-Type-Options
------------------------------------------------------------------------------------------------------------- ----------------------
Prevents XSS by blocking requests on clients and forcing them to read the content type instead of first opening it. Prevents XSS by blocking requests on clients and forcing them to read the content type instead of first opening it.
.. sourcecode:: html .. sourcecode:: none
X-Content-Type-Options: nosniff X-Content-Type-Options: nosniff
See also `X-Content-Type-Options <https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options>`_. See also `X-Content-Type-Options <https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options>`_.
* `flask-talisman <https://github.com/GoogleCloudPlatform/flask-talisman>`_
* `flask-secure-headers <https://github.com/twaldear/flask-secure-headers>`_
Cookie options Cookie options
---------------------------------------------------------------------------------------------------------- --------------
For setting cookies on client-side storage. For setting cookies on client-side storage.
Example: Example:
.. sourcecode:: html .. sourcecode:: none
Set-Cookie: [cookie-name]=[cookie-value] Set-Cookie: [cookie-name]=[cookie-value]
See also `HTTP cookies <https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#Secure_and_HttpOnly_cookies>`_ . See also `HTTP cookies <https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#Secure_and_HttpOnly_cookies>`_ .
* `flask-talisman <https://github.com/GoogleCloudPlatform/flask-talisman>`_
* `flask-secure-headers <https://github.com/twaldear/flask-secure-headers>`_
HTTP Public Key Pinning (HPKP) HTTP Public Key Pinning (HPKP)
------------------------------------------------------------------------------------------------------- ------------------------------
For associating clients with web servers through a certificate key and prevent MITM attacks. For associating clients with web servers through a certificate key and prevent MITM attacks.
Example: Example:
.. sourcecode:: html .. sourcecode:: none
Public-Key-Pins: pin-sha256="base64=="; max-age=expireTime [; includeSubDomains][; report-uri="reportURI"] Public-Key-Pins: pin-sha256="base64=="; max-age=expireTime [; includeSubDomains][; report-uri="reportURI"]
See also `Public Key Pinning <https://developer.mozilla.org/en-US/docs/Web/HTTP/Public_Key_Pinning>`_. See also `Public Key Pinning <https://developer.mozilla.org/en-US/docs/Web/HTTP/Public_Key_Pinning>`_.
* `flask-talisman <https://github.com/GoogleCloudPlatform/flask-talisman>`_
* `flask-secure-headers <https://github.com/twaldear/flask-secure-headers>`_
References
-----------
* https://docs.djangoproject.com/en/1.11/topics/security/
* https://blog.appcanary.com/2017/http-security-headers.html
* https://developer.mozilla.org
* https://csp.withgoogle.com/docs/index.html