diff --git a/docs/security.rst b/docs/security.rst index 120600cc..59767139 100644 --- a/docs/security.rst +++ b/docs/security.rst @@ -109,25 +109,12 @@ Security Headers ---------------- This section contains a list of headers supported by Flask. -To configure HTTPS and handle the headers listed below we suggest the package `flask-talisman `. - -Content Security Policy (CSP) ------------------------------ - -Enhance security and prevents common web vulnerabilities such as cross-site scripting and MITM related attacks. - -Example: - -.. sourcecode:: none - - Content-Security-Policy: default-src https:; script-src 'nonce-{random}'; object-src 'none' - -See also `Content Security Policy `_. +To configure HTTPS and handle the headers listed below we suggest the package `flask-talisman `_. HTTP Strict Transport Security (HSTS) ------------------------------------- -Redirects http requests to https on all urls, preventing MITM attacks. +Redirects http requests to https on all urls, preventing Man-in-the-middle (MITM) attacks. Example: @@ -139,7 +126,20 @@ Example: See also `Strict Transport Security `_. -X-FRAME-OPTIONS (Clickjacking protection) +HTTP Public Key Pinning (HPKP) +------------------------------ + +This enables your web server to authenticate with a client browser using a specific certificate key to prevent Man-in-the-middle (MITM) attacks. + +Example: + +.. sourcecode:: none + + Public-Key-Pins: pin-sha256="base64=="; max-age=expireTime [; includeSubDomains][; report-uri="reportURI"] + +See also `Public Key Pinning `_. + +X-Frame-Options (Clickjacking protection) ----------------------------------------- Prevents the client from clicking page elements outside of the website, avoiding hijacking or UI redress attacks. @@ -155,7 +155,7 @@ See also `X-Frame-Options `_. +Content Security Policy (CSP) +----------------------------- + +Enhances security and prevents common web vulnerabilities such as cross-site scripting (XSS) and Man-in-the-middle (MITM) related attacks. + +Example: + +.. sourcecode:: none + + Content-Security-Policy: default-src https:; script-src 'nonce-{random}'; object-src 'none' + +See also `Content Security Policy `_. + Cookie options -------------- -For setting cookies on client-side storage. +While these headers are not directly security related, they have important options that may affect your flask application. + +- ``Secure`` limits your cookies to HTTPS traffic only. +- ``HttpOnly`` protects the contents of your cookie from being visible to XSS. +- ``SameSite`` ensures that cookies can only be requested from the same domain that created them but this feature is not yet fully supported across all browsers. Example: @@ -174,17 +191,7 @@ Example: Set-Cookie: [cookie-name]=[cookie-value] -See also `HTTP cookies `_ . +See also: -HTTP Public Key Pinning (HPKP) ------------------------------- - -For associating clients with web servers through a certificate key and prevent MITM attacks. - -Example: - -.. sourcecode:: none - - Public-Key-Pins: pin-sha256="base64=="; max-age=expireTime [; includeSubDomains][; report-uri="reportURI"] - -See also `Public Key Pinning `_. +- Mozilla guide to `HTTP cookies `_. +- `OWASP HTTP Only `_.