diff --git a/docs/security.rst b/docs/security.rst index ad0d1244..5033ddda 100644 --- a/docs/security.rst +++ b/docs/security.rst @@ -104,3 +104,94 @@ vulnerabilities `_, so this behavior was changed and :func:`~flask.jsonify` now supports serializing arrays. + +Security Headers +---------------- + +This section contains a list of HTTP security headers supported by Flask. +To configure HTTPS and handle the headers listed below we suggest the package `flask-talisman `_. + +HTTP Strict Transport Security (HSTS) +------------------------------------- + +Redirects HTTP requests to HTTPS on all URLs, preventing man-in-the-middle (MITM) attacks. + +Example: + +.. sourcecode:: none + + Strict-Transport-Security: max-age=; includeSubDomains + Strict-Transport-Security: max-age=; preload + +See also `Strict Transport Security `_. + +HTTP Public Key Pinning (HPKP) +------------------------------ + +This enables your web server to authenticate with a client browser using a specific certificate key to prevent man-in-the-middle (MITM) attacks. + +Example: + +.. sourcecode:: none + + Public-Key-Pins: pin-sha256="base64=="; max-age=expireTime [; includeSubDomains][; report-uri="reportURI"] + +See also `Public Key Pinning `_. + +X-Frame-Options (Clickjacking Protection) +----------------------------------------- + +Prevents the client from clicking page elements outside of the website, avoiding hijacking or UI redress attacks. + +.. sourcecode:: none + + X-Frame-Options: DENY + X-Frame-Options: SAMEORIGIN + X-Frame-Options: ALLOW-FROM https://example.com/ + +See also `X-Frame-Options `_. + +X-Content-Type-Options +---------------------- + +This header prevents Cross-site scripting (XSS) by blocking requests on clients and forcing them to first read and validate the content-type before reading any of the contents of the request. + +.. sourcecode:: none + + X-Content-Type-Options: nosniff + +See also `X-Content-Type-Options `_. + +Content Security Policy (CSP) +----------------------------- + +Enhances security and prevents common web vulnerabilities such as cross-site scripting (XSS) and man-in-the-middle (MITM) related attacks. + +Example: + +.. sourcecode:: none + + Content-Security-Policy: default-src https:; script-src 'nonce-{random}'; object-src 'none' + +See also `Content Security Policy `_. + +Cookie Options +-------------- + +While these headers are not directly security related, they have important options that may affect your Flask application. + +- ``Secure`` limits your cookies to HTTPS traffic only. +- ``HttpOnly`` protects the contents of your cookie from being visible to XSS. +- ``SameSite`` ensures that cookies can only be requested from the same domain that created them but this feature is not yet fully supported across all browsers. + +Example: + +.. sourcecode:: none + + Set-Cookie: [cookie-name]=[cookie-value] + +See also: + +- Mozilla guide to `HTTP cookies `_. +- `OWASP HTTP Only `_.