Flask: Review HTTP security

Created on 16 May 2017 · 2Comments · Source: pallets/flask

We should make sure we're providing good, thorough security defaults, or at least documentation on the available options. Not sure if this fits better as Flask config, Werkzeug middleware, or a separate Flask-HTTP-Security extension.

Overview of HTTP security headers: https://blog.appcanary.com/2017/http-security-headers.html
Django's security options: https://docs.djangoproject.com/en/1.11/topics/security/ (some things, such as CSRF and SQL are handled by other libraries, not Flask)

As a first step, good for beginners, it would be nice to get a writeup here of what's already covered and what's not.

docs good first issue

Source

davidism

👍1

Most helpful comment

@davidism

[x] [Cross-Site Scripting](http://flask.pocoo.org/docs/0.12/security/#cross-site-scripting-xss) (XSS)
[x] [Cross-Site Request Forgery](http://flask.pocoo.org/docs/0.12/security/#cross-site-request-forgery-csrf) (CSRF)
[x] [JSON Security](http://flask.pocoo.org/docs/0.12/security/#json-security)
[x] SSL/HTTPS
flask-talisman
flask-sslify
flask-secure-headers

Security Headers

[x] [HTTP Strict Transport Security](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security) (HSTS)
flask-sslify
flask-talisman
flask-secure-headers
[x] [Content Security Policy](https://csp.withgoogle.com/docs/index.html) (CSP)
flask-talisman
flask-csp
flask-secure-headers
[x] [X-FRAME-OPTIONS](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options) (Clickjacking protection)
flask-talisman
flask-secure-headers
[x] [X-Content-Type-Options](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options)
flask-talisman
flask-secure-headers
[x] [Cookie options](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#Secure_and_HttpOnly_cookies)
flask-talisman
flask-secure-headers
[x] [HTTP Public Key Pinning](https://developer.mozilla.org/en-US/docs/Web/HTTP/Public_Key_Pinning) (HPKP)
flask-secure-headers
flask-talisman

aqt01 on 22 May 2017

👍3

All 2 comments

Setting HSTS and redirecting HTTP to HTTPS might be interesting, cc @kennethreitz

davidism on 22 May 2017

@davidism

[x] [Cross-Site Scripting](http://flask.pocoo.org/docs/0.12/security/#cross-site-scripting-xss) (XSS)
[x] [Cross-Site Request Forgery](http://flask.pocoo.org/docs/0.12/security/#cross-site-request-forgery-csrf) (CSRF)
[x] [JSON Security](http://flask.pocoo.org/docs/0.12/security/#json-security)
[x] SSL/HTTPS
flask-talisman
flask-sslify
flask-secure-headers

Security Headers

[x] [HTTP Strict Transport Security](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security) (HSTS)
flask-sslify
flask-talisman
flask-secure-headers
[x] [Content Security Policy](https://csp.withgoogle.com/docs/index.html) (CSP)
flask-talisman
flask-csp
flask-secure-headers
[x] [X-FRAME-OPTIONS](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options) (Clickjacking protection)
flask-talisman
flask-secure-headers
[x] [X-Content-Type-Options](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options)
flask-talisman
flask-secure-headers
[x] [Cookie options](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#Secure_and_HttpOnly_cookies)
flask-talisman
flask-secure-headers
[x] [HTTP Public Key Pinning](https://developer.mozilla.org/en-US/docs/Web/HTTP/Public_Key_Pinning) (HPKP)
flask-secure-headers
flask-talisman