add CSP

TempeHS · Oct 4, 2024 · 7eab0fa · 7eab0fa
1 parent 3bc28b4
commit 7eab0fa
Show file tree

Hide file tree

Showing 2 changed files with 49 additions and 1 deletion.
diff --git a/.student_resources/content_security_policy/README.md b/.student_resources/content_security_policy/README.md
@@ -0,0 +1,48 @@
+# Content Security Policy
+
+Content Security Policy (CSP) can significantly reduce the risk and impact of cross-site scripting attacks in modern browsers. A CSP has been a W3C recomendation since 2016 and is now the industry standard in securing web applications.
+
+More information on CSP: [w3c documentation](http://www.w3.org/TR/CSP2/)
+
+## To add a Content Security Policy header to your Flask application.
+
+### Installation
+Install the extension with using pip, or easy_install. [Pypi Link](https://pypi.python.org/pypi/flask-csp)
+
+```bash
+$ pip install flask-csp
+```
+
+## Usage
+Add the csp_header(...) decorator after the app.route(...) decorator to create a csp header on each route. The decorator can either be passed no value (Add default policies) or custom values by a dict (Add custom policies). For more information on the default policies see "Change Default Policies" below.
+
+### Add default header
+```python
+    @app.route('/', methods=['POST', 'GET'])
+    @app.route('/index.html', methods=['GET'])
+    @csp_header({
+    "default-src": "'self'",
+    "script-src": "'self'",
+    "img-src": "http: https: data:",
+    "object-src": "'self'",
+    "style-src": "'self'",
+    "media-src": "'self'",
+    "child-src": "'self'",
+    "connect-src": "'self'",
+    "base-uri": "",
+    "report-uri": "/csp_report",
+    "frame-ancestors": 'none'
+    })
+    def index():
+        #index implementation
+```
+
+### Create an app route for CSP reports
+
+```python
+    @app.route('/csp_report',methods=['POST'])
+    def csp_report():
+        with open('csp_reports', "a") as fh:
+            fh.write(request.data.decode()+"\n")
+        return 'done'
+```
diff --git a/README.md b/README.md
@@ -35,7 +35,6 @@ You are to run a range of security tests and scans along with a white/grey/black
 - [The Open Worldwide Application Security Project](https://owasp.org/) the most current and accurate source of knowldge about web application security.
 - [Best practices in protecting flask applications](https://escape.tech/blog/best-practices-protect-flask-applications/).
 
-
 ## Solution implementation support
 
 - [Cross Frame Scripting XFS](.student_resources\XFS\README.md).
@@ -49,6 +48,7 @@ You are to run a range of security tests and scans along with a white/grey/black
 - [Flask session management](https://pythonbasics.org/flask-sessions/)
 - [Cross Site Scripting XSS](.student_resources\XSS_scripts\README.md).
 - [SQL Injections](.student_resources\SQL_Injection).
+- [Content Security Policy](.student_resources\content_security_policy\README.md)
 
 > [!TIP]
 > ## Teaching advice: