Authentication Security

The previous implementation used Werkzeug’s default PBKDF2 hashing and allowed weak passwords with no protection against brute-force login attempts.
I upgraded the system by implementing Argon2 password hashing, enforcing strong password validation rules, adding login rate limiting to prevent brute-force attacks, and securing session cookies with proper security configurations.
This commit is contained in:
NiDU-NINJA 2026-02-19 15:55:59 +05:30
parent d98eb69a35
commit 212ba487ed
2 changed files with 52 additions and 9 deletions

View file

@ -1,10 +1,15 @@
import os
from flask import Flask
# Import limiter for brute-force protection
from flask_limiter import Limiter
from flask_limiter.util import get_remote_address
def create_app(test_config=None):
"""Create and configure an instance of the Flask application."""
app = Flask(__name__, instance_relative_config=True)
app.config.from_mapping(
# a default secret that should be overridden by instance config
@ -12,7 +17,12 @@ def create_app(test_config=None):
# store the database in the instance folder
DATABASE=os.path.join(app.instance_path, "flaskr.sqlite"),
)
# Secure session cookie settings for production safety
app.config.update(
SESSION_COOKIE_SECURE=True, # Cookie sent only over HTTPS
SESSION_COOKIE_HTTPONLY=True, # Prevent JavaScript access (XSS protection)
SESSION_COOKIE_SAMESITE="Lax", # Helps protect against CSRF
)
if test_config is None:
# load the instance config, if it exists, when not testing
app.config.from_pyfile("config.py", silent=True)
@ -22,6 +32,14 @@ def create_app(test_config=None):
# ensure the instance folder exists
os.makedirs(app.instance_path, exist_ok=True)
# Initialize rate limiter to prevent brute-force login attacks
limiter = Limiter(
get_remote_address,
app=app,
default_limits=["200 per day", "50 per hour"], # Global safety limits
)
# Make limiter accessible inside other files (like auth.py)
app.extensions["limiter"] = limiter
@app.route("/hello")
def hello():
@ -45,4 +63,4 @@ def create_app(test_config=None):
# the tutorial the blog will be the main index
app.add_url_rule("/", endpoint="index")
return app
return app