Talisman is a small Flask extension that handles setting HTTP headers that can help protect against a few common web application security issues.
The default configuration:
- Forces all connects to
https
, unless running with debug enabled. - Enables HTTP Strict Transport Security.
- Sets Flask's session cookie to
secure
, so it will never be set if you application is somehow accessed via a non-secure connection. - Sets Flask's session cookie to
httponly
, preventing JavaScript from being able to access its content. CSRF via Ajax uses a separate cookie and should be unaffected. - Sets
X-Frame-Options
to
SAMEORIGIN
to avoid clickjacking. - Sets X-XSS-Protection to enable a cross site scripting filter for IE/Chrome.
- Sets X-Content-Type-Options to prevents content type sniffing for IE >= 9.
- Sets X-Download-Options to prevent file downloads opening for IE >= 8.
- Sets a strict Content Security
Policy
of
default-src: 'self'
. This is intended to almost completely prevent Cross Site Scripting (XSS) attacks. This is probably the only setting that you should reasonably change. See the Content Security Policy section.
In addition to Talisman, you should always use a cross-site request forgery (CSRF) library. It's highly recommended to use Flask-SeaSurf, which is based on Django's excellent library.
Install via pip:
pip install flask-talisman
from flask import Flask
from flask_talisman import Talisman
app = Flask(__name__)
Talisman(app)
There is also a full Example App.
force_https
, defaultTrue
, forces all non-debug connects tohttps
.force_https_permanent
, defaultFalse
, uses301
instead of302
forhttps
redirects.frame_options
, defaultSAMEORIGIN
, can beSAMEORIGIN
,DENY
, orALLOWFROM
.frame_options_allow_from
, defaultNone
, a string indicating the domains that are allowed to embed the site via iframe.strict_transport_security
, defaultTrue
, whether to send HSTS headers.strict_transport_security_preload
, defaultFalse
, enables HSTS preloading If you register your application with Google's HSTS preload list, Firefox and Chrome will never load your site over a non-secure connection.strict_transport_security_max_age
, defaultONE_YEAR_IN_SECS
, length of time the browser will respect the HSTS header.strict_transport_security_include_subdomains
, defaultTrue
, whether subdomains should also use HSTS.content_security_policy
, defaultdefault-src: 'self'
, see the Content Security Policy section.content_security_policy_report_only
, defaultFalse
, whether to set the CSP header as "report-only" (as Content-Security-Policy-Report-Only) to ease deployment by disabling the policy enforcement by the browser, requires passing a value with thecontent_security_policy_report_uri
parametercontent_security_policy_report_uri
, defaultNone
, a string indicating the report URI used for CSP violation reportssession_cookie_secure
, defaultTrue
, set the session cookie tosecure
, preventing it from being sent over plainhttp
.session_cookie_http_only
, defaultTrue
, set the session cookie tohttponly
, preventing it from being read by JavaScript.force_file_save
, defaultFalse
, whether to set theX-Download-Options
header tonoopen
to prevent IE >= 8 to from opening file downloads directly and only save them instead
Sometimes you want to change the policy for a specific view. The
force_https
, frame_options
, frame_options_allow_from
, and
content_security_policy
options can be changed on a per-view basis.
from flask import Flask
from flask_talisman import Talisman, ALLOW_FROM
app = Flask(__name__)
talisman = Talisman(app)
@app.route('/normal')
def normal():
return 'Normal'
@app.route('/embeddable')
@talisman(frame_options=ALLOW_FROM, frame_options_allow_from='*')
def embeddable():
return 'Embeddable'
The default content security policy is extremely strict and will prevent loading any resources that are not in the same domain as the application. Most web applications will need to change this policy.
A slightly more permissive policy is available at
flask_talisman.GOOGLE_CSP_POLICY
, which allows loading Google-hosted JS
libraries, fonts, and embeding media from YouTube and Maps.
You can and should create your own policy to suit your site's needs. Here's a few examples adapted from MDN:
This is the default policy. A web site administrator wants all content to come from the site's own origin (this excludes subdomains.)
csp = {
'default-src': '\'self\''
}
A web site administrator wants to allow content from a trusted domain and all its subdomains (it doesn't have to be the same domain that the CSP is set on.)
csp = {
'default-src': [
'\'self\'',
'*.trusted.com'
]
}
A web site administrator wants to allow users of a web application to include images from any origin in their own content, but to restrict audio or video media to trusted providers, and all scripts only to a specific server that hosts trusted code.
csp = {
'default-src': '\'self\'',
'image-src': '*',
'media-src': [
'media1.com',
'media2.com',
],
'script-src': 'userscripts.example.com'
}
In this example content is only permitted from the document's origin with the following exceptions:
- Images may loaded from anywhere (note the
*
wildcard). - Media is only allowed from media1.com and media2.com (and not from subdomains of those sites).
- Executable script is only allowed from userscripts.example.com.
A web site administrator for an online banking site wants to ensure that all its content is loaded using SSL, in order to prevent attackers from eavesdropping on requests.
csp = {
'default-src': 'https://onlinebanking.jumbobank.com'
}
The server only permits access to documents being loaded specifically over HTTPS through the single origin onlinebanking.jumbobank.com.
A web site administrator of a web mail site wants to allow HTML in email, as well as images loaded from anywhere, but not JavaScript or other potentially dangerous content.
csp = {
'default-src': [
'\'self\'',
'*.mailsite.com',
],
'img-src': '*'
}
Note that this example doesn't specify a script-src
; with the
example CSP, this site uses the setting specified by the default-src
directive, which means that scripts can be loaded only from the
originating server.
This is not an official Google product, experimental or otherwise.
There is no silver bullet for web application security. Talisman can help, but security is more than just setting a few headers. Any public-facing web application should have a comprehensive approach to security.
- See CONTRIBUTING.md
- Apache 2.0 - See LICENSE