From 8459cedaa94445fd17b223aed16312f5da2f76ac Mon Sep 17 00:00:00 2001 From: Lowell Abbott Date: Mon, 22 May 2017 20:52:02 -0700 Subject: [PATCH 1/6] Add security headers notes --- docs/security.rst | 127 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 127 insertions(+) diff --git a/docs/security.rst b/docs/security.rst index ad0d1244..914dd92a 100644 --- a/docs/security.rst +++ b/docs/security.rst @@ -104,3 +104,130 @@ vulnerabilities `_, so this behavior was changed and :func:`~flask.jsonify` now supports serializing arrays. + + +SSL/HTTPS +--------- + +For implementing HTTPS on your server + +Below some packages in suggestion order that implements this protocol: + +* `flask-talisman `_ +* `flask-sslify `_ +* `flask-secure-headers `_ + +Security Headers +---------------- + +This sections contains sections headers supported by Flask and a list of packages in suggestion order that implements it + +`Content Security Policy `_ (CSP) +----------------------------------------------------------------------------- + +For enhancing security and preventing common web vulnerabilities such as cross-site scripting and MITM related attacks + +Example + +.. sourcecode:: html + + Content-Security-Policy: default-src https:; script-src 'nonce-{random}'; object-src 'none' + + +To learn more check `this `_ + +* `flask-talisman `_ +* `flask-csp `_ +* `flask-secure-headers `_ + +`HTTP Strict Transport Security `_ (HSTS) +------------------------------------------------------------------------------------------------------------------------------ + + +For automatically redirect HTTP to HTTPS on all the website url's and prevent MITM attacks + +Example + +.. sourcecode:: html + + Strict-Transport-Security: max-age=; includeSubDomains + Strict-Transport-Security: max-age=; preload + +To learn more check `this `_ + + +* `flask-talisman `_ +* `flask-sslify `_ +* `flask-secure-headers `_ + +`X-FRAME-OPTIONS `_ (Clickjacking protection) +------------------------------------------------------------------------------------------------------------------------- +Prevents the client clicking page elements outside of the website avoiding hijacking or UI redress attacks + + +.. sourcecode:: html + + X-Frame-Options: DENY + X-Frame-Options: SAMEORIGIN + X-Frame-Options: ALLOW-FROM https://example.com/ + +To learn more check `this `_ + +* `flask-talisman `_ +* `flask-secure-headers `_ + +`X-Content-Type-Options `_ +------------------------------------------------------------------------------------------------------------- + +Prevents XSS by blocking requests on clients and forcing then to read the content type instead of first opening it. + +.. sourcecode:: html + + X-Content-Type-Options: nosniff + +To learn more check `this `_ + + +* `flask-talisman `_ +* `flask-secure-headers `_ + +`Cookie options `_ +---------------------------------------------------------------------------------------------------------- + +For setting cookies on client-side storage + +Example + +.. sourcecode:: html + + Set-Cookie: [cookie-name]=[cookie-value] + +To learn more check `this `_ + +* `flask-talisman `_ +* `flask-secure-headers `_ + +`HTTP Public Key Pinning `_ (HPKP) +------------------------------------------------------------------------------------------------------- + +For associating clients with web servers throught a certificate key and prevent MITM attacks + +Example + +.. sourcecode:: html + + Public-Key-Pins: pin-sha256="base64=="; max-age=expireTime [; includeSubDomains][; report-uri="reportURI"] + +To learn more check `this `_ + +* `flask-talisman `_ +* `flask-secure-headers `_ + +References: +----------- + +* https://docs.djangoproject.com/en/1.11/topics/security/ +* https://blog.appcanary.com/2017/http-security-headers.html +* https://developer.mozilla.org +* https://csp.withgoogle.com/docs/index.html From 98b0f96a9820d6314cd814d27b25589ac08ccbf4 Mon Sep 17 00:00:00 2001 From: Lowell Abbott Date: Mon, 22 May 2017 23:48:35 -0700 Subject: [PATCH 2/6] Fix typos, semantics and some other corrections --- docs/security.rst | 43 ++++++++++++++++++++----------------------- 1 file changed, 20 insertions(+), 23 deletions(-) diff --git a/docs/security.rst b/docs/security.rst index 914dd92a..f2a1ee4e 100644 --- a/docs/security.rst +++ b/docs/security.rst @@ -109,9 +109,9 @@ arrays. SSL/HTTPS --------- -For implementing HTTPS on your server +For implementing HTTPS on your server. -Below some packages in suggestion order that implements this protocol: +Below are some packages that implement this protocol: * `flask-talisman `_ * `flask-sslify `_ @@ -120,21 +120,21 @@ Below some packages in suggestion order that implements this protocol: Security Headers ---------------- -This sections contains sections headers supported by Flask and a list of packages in suggestion order that implements it +This section contains a list of headers supported by Flask and some packages that implements them. `Content Security Policy `_ (CSP) ----------------------------------------------------------------------------- -For enhancing security and preventing common web vulnerabilities such as cross-site scripting and MITM related attacks +Enhance security and prevents common web vulnerabilities such as cross-site scripting and MITM related attacks. -Example +Example: .. sourcecode:: html Content-Security-Policy: default-src https:; script-src 'nonce-{random}'; object-src 'none' -To learn more check `this `_ +See also `Content Security Policy `_. * `flask-talisman `_ * `flask-csp `_ @@ -143,10 +143,9 @@ To learn more check `this `_ `HTTP Strict Transport Security `_ (HSTS) ------------------------------------------------------------------------------------------------------------------------------ +Redirects http requests to https on all urls, preventing MITM attacks. -For automatically redirect HTTP to HTTPS on all the website url's and prevent MITM attacks - -Example +Example: .. sourcecode:: html @@ -154,8 +153,7 @@ Example Strict-Transport-Security: max-age=; includeSubDomains Strict-Transport-Security: max-age=; preload -To learn more check `this `_ - +See also `Strict Transport Security `_. * `flask-talisman `_ * `flask-sslify `_ @@ -163,8 +161,8 @@ To learn more check `this `_ (Clickjacking protection) ------------------------------------------------------------------------------------------------------------------------- -Prevents the client clicking page elements outside of the website avoiding hijacking or UI redress attacks +Prevents the client from clicking page elements outside of the website, avoiding hijacking or UI redress attacks. .. sourcecode:: html @@ -172,7 +170,7 @@ Prevents the client clicking page elements outside of the website avoiding hijac X-Frame-Options: SAMEORIGIN X-Frame-Options: ALLOW-FROM https://example.com/ -To learn more check `this `_ +See also `X-Frame-Options `_. * `flask-talisman `_ * `flask-secure-headers `_ @@ -180,14 +178,13 @@ To learn more check `this `_ ------------------------------------------------------------------------------------------------------------- -Prevents XSS by blocking requests on clients and forcing then to read the content type instead of first opening it. +Prevents XSS by blocking requests on clients and forcing them to read the content type instead of first opening it. .. sourcecode:: html X-Content-Type-Options: nosniff -To learn more check `this `_ - +See also `X-Content-Type-Options `_. * `flask-talisman `_ * `flask-secure-headers `_ @@ -195,15 +192,15 @@ To learn more check `this `_ ---------------------------------------------------------------------------------------------------------- -For setting cookies on client-side storage +For setting cookies on client-side storage. -Example +Example: .. sourcecode:: html Set-Cookie: [cookie-name]=[cookie-value] -To learn more check `this `_ +See also `HTTP cookies `_ . * `flask-talisman `_ * `flask-secure-headers `_ @@ -211,20 +208,20 @@ To learn more check `this `_ (HPKP) ------------------------------------------------------------------------------------------------------- -For associating clients with web servers throught a certificate key and prevent MITM attacks +For associating clients with web servers through a certificate key and prevent MITM attacks. -Example +Example: .. sourcecode:: html Public-Key-Pins: pin-sha256="base64=="; max-age=expireTime [; includeSubDomains][; report-uri="reportURI"] -To learn more check `this `_ +See also `Public Key Pinning `_. * `flask-talisman `_ * `flask-secure-headers `_ -References: +References ----------- * https://docs.djangoproject.com/en/1.11/topics/security/ From c47f4530a1f2a15830c1d1cb983297a580a4613d Mon Sep 17 00:00:00 2001 From: Lowell Abbott Date: Mon, 22 May 2017 23:54:28 -0700 Subject: [PATCH 3/6] Erased duplicated links on title --- docs/security.rst | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/docs/security.rst b/docs/security.rst index f2a1ee4e..b6c234b6 100644 --- a/docs/security.rst +++ b/docs/security.rst @@ -122,7 +122,7 @@ Security Headers This section contains a list of headers supported by Flask and some packages that implements them. -`Content Security Policy `_ (CSP) +Content Security Policy (CSP) ----------------------------------------------------------------------------- Enhance security and prevents common web vulnerabilities such as cross-site scripting and MITM related attacks. @@ -140,7 +140,7 @@ See also `Content Security Policy `_ * `flask-csp `_ * `flask-secure-headers `_ -`HTTP Strict Transport Security `_ (HSTS) +HTTP Strict Transport Security (HSTS) ------------------------------------------------------------------------------------------------------------------------------ Redirects http requests to https on all urls, preventing MITM attacks. @@ -159,7 +159,7 @@ See also `Strict Transport Security `_ * `flask-secure-headers `_ -`X-FRAME-OPTIONS `_ (Clickjacking protection) +X-FRAME-OPTIONS (Clickjacking protection) ------------------------------------------------------------------------------------------------------------------------- Prevents the client from clicking page elements outside of the website, avoiding hijacking or UI redress attacks. @@ -175,7 +175,7 @@ See also `X-Frame-Options `_ * `flask-secure-headers `_ -`X-Content-Type-Options `_ +X-Content-Type-Options ------------------------------------------------------------------------------------------------------------- Prevents XSS by blocking requests on clients and forcing them to read the content type instead of first opening it. @@ -189,7 +189,7 @@ See also `X-Content-Type-Options `_ * `flask-secure-headers `_ -`Cookie options `_ +Cookie options ---------------------------------------------------------------------------------------------------------- For setting cookies on client-side storage. @@ -205,7 +205,7 @@ See also `HTTP cookies `_ * `flask-secure-headers `_ -`HTTP Public Key Pinning `_ (HPKP) +HTTP Public Key Pinning (HPKP) ------------------------------------------------------------------------------------------------------- For associating clients with web servers through a certificate key and prevent MITM attacks. From ee7cb9d6b2ff404be33bcc0487f8b0fee806436d Mon Sep 17 00:00:00 2001 From: Lowell Abbott Date: Tue, 23 May 2017 01:54:06 -0700 Subject: [PATCH 4/6] Suggest only one package, change the sourcecode block to none --- docs/security.rst | 68 ++++++++++------------------------------------- 1 file changed, 14 insertions(+), 54 deletions(-) diff --git a/docs/security.rst b/docs/security.rst index b6c234b6..120600cc 100644 --- a/docs/security.rst +++ b/docs/security.rst @@ -105,49 +105,33 @@ vulnerabilities this behavior was changed and :func:`~flask.jsonify` now supports serializing arrays. - -SSL/HTTPS ---------- - -For implementing HTTPS on your server. - -Below are some packages that implement this protocol: - -* `flask-talisman `_ -* `flask-sslify `_ -* `flask-secure-headers `_ - Security Headers ---------------- -This section contains a list of headers supported by Flask and some packages that implements them. +This section contains a list of headers supported by Flask. +To configure HTTPS and handle the headers listed below we suggest the package `flask-talisman `. Content Security Policy (CSP) ------------------------------------------------------------------------------ +----------------------------- Enhance security and prevents common web vulnerabilities such as cross-site scripting and MITM related attacks. Example: -.. sourcecode:: html +.. sourcecode:: none Content-Security-Policy: default-src https:; script-src 'nonce-{random}'; object-src 'none' - See also `Content Security Policy `_. -* `flask-talisman `_ -* `flask-csp `_ -* `flask-secure-headers `_ - HTTP Strict Transport Security (HSTS) ------------------------------------------------------------------------------------------------------------------------------- +------------------------------------- Redirects http requests to https on all urls, preventing MITM attacks. Example: -.. sourcecode:: html +.. sourcecode:: none Strict-Transport-Security: max-age=; includeSubDomains @@ -155,16 +139,12 @@ Example: See also `Strict Transport Security `_. -* `flask-talisman `_ -* `flask-sslify `_ -* `flask-secure-headers `_ - X-FRAME-OPTIONS (Clickjacking protection) -------------------------------------------------------------------------------------------------------------------------- +----------------------------------------- Prevents the client from clicking page elements outside of the website, avoiding hijacking or UI redress attacks. -.. sourcecode:: html +.. sourcecode:: none X-Frame-Options: DENY X-Frame-Options: SAMEORIGIN @@ -172,59 +152,39 @@ Prevents the client from clicking page elements outside of the website, avoiding See also `X-Frame-Options `_. -* `flask-talisman `_ -* `flask-secure-headers `_ - X-Content-Type-Options -------------------------------------------------------------------------------------------------------------- +---------------------- Prevents XSS by blocking requests on clients and forcing them to read the content type instead of first opening it. -.. sourcecode:: html +.. sourcecode:: none X-Content-Type-Options: nosniff See also `X-Content-Type-Options `_. -* `flask-talisman `_ -* `flask-secure-headers `_ - Cookie options ----------------------------------------------------------------------------------------------------------- +-------------- For setting cookies on client-side storage. Example: -.. sourcecode:: html +.. sourcecode:: none Set-Cookie: [cookie-name]=[cookie-value] See also `HTTP cookies `_ . -* `flask-talisman `_ -* `flask-secure-headers `_ - HTTP Public Key Pinning (HPKP) -------------------------------------------------------------------------------------------------------- +------------------------------ For associating clients with web servers through a certificate key and prevent MITM attacks. Example: -.. sourcecode:: html +.. sourcecode:: none Public-Key-Pins: pin-sha256="base64=="; max-age=expireTime [; includeSubDomains][; report-uri="reportURI"] See also `Public Key Pinning `_. - -* `flask-talisman `_ -* `flask-secure-headers `_ - -References ------------ - -* https://docs.djangoproject.com/en/1.11/topics/security/ -* https://blog.appcanary.com/2017/http-security-headers.html -* https://developer.mozilla.org -* https://csp.withgoogle.com/docs/index.html From 09a0d2ebd1c832977b46be6d0cbd7b42944ffc49 Mon Sep 17 00:00:00 2001 From: Lowell Abbott Date: Tue, 23 May 2017 12:26:43 -0700 Subject: [PATCH 5/6] Re-order by semantic. Fix link on flask-talismand and re-word many concepts --- docs/security.rst | 59 ++++++++++++++++++++++++++--------------------- 1 file changed, 33 insertions(+), 26 deletions(-) diff --git a/docs/security.rst b/docs/security.rst index 120600cc..59767139 100644 --- a/docs/security.rst +++ b/docs/security.rst @@ -109,37 +109,37 @@ Security Headers ---------------- This section contains a list of headers supported by Flask. -To configure HTTPS and handle the headers listed below we suggest the package `flask-talisman `. +To configure HTTPS and handle the headers listed below we suggest the package `flask-talisman `_. -Content Security Policy (CSP) ------------------------------ +HTTP Strict Transport Security (HSTS) +------------------------------------- -Enhance security and prevents common web vulnerabilities such as cross-site scripting and MITM related attacks. +Redirects http requests to https on all urls, preventing Man-in-the-middle (MITM) attacks. Example: .. sourcecode:: none - Content-Security-Policy: default-src https:; script-src 'nonce-{random}'; object-src 'none' + Strict-Transport-Security: max-age=; includeSubDomains + Strict-Transport-Security: max-age=; preload -See also `Content Security Policy `_. +See also `Strict Transport Security `_. -HTTP Strict Transport Security (HSTS) -------------------------------------- +HTTP Public Key Pinning (HPKP) +------------------------------ -Redirects http requests to https on all urls, preventing MITM attacks. +This enables your web server to authenticate with a client browser using a specific certificate key to prevent Man-in-the-middle (MITM) attacks. Example: .. sourcecode:: none - - Strict-Transport-Security: max-age=; includeSubDomains - Strict-Transport-Security: max-age=; preload -See also `Strict Transport Security `_. + Public-Key-Pins: pin-sha256="base64=="; max-age=expireTime [; includeSubDomains][; report-uri="reportURI"] + +See also `Public Key Pinning `_. -X-FRAME-OPTIONS (Clickjacking protection) +X-Frame-Options (Clickjacking protection) ----------------------------------------- Prevents the client from clicking page elements outside of the website, avoiding hijacking or UI redress attacks. @@ -155,7 +155,7 @@ See also `X-Frame-Options `_. -Cookie options --------------- +Content Security Policy (CSP) +----------------------------- -For setting cookies on client-side storage. +Enhances security and prevents common web vulnerabilities such as cross-site scripting (XSS) and Man-in-the-middle (MITM) related attacks. Example: .. sourcecode:: none - Set-Cookie: [cookie-name]=[cookie-value] + Content-Security-Policy: default-src https:; script-src 'nonce-{random}'; object-src 'none' -See also `HTTP cookies `_ . +See also `Content Security Policy `_. -HTTP Public Key Pinning (HPKP) ------------------------------- +Cookie options +-------------- + +While these headers are not directly security related, they have important options that may affect your flask application. -For associating clients with web servers through a certificate key and prevent MITM attacks. +- ``Secure`` limits your cookies to HTTPS traffic only. +- ``HttpOnly`` protects the contents of your cookie from being visible to XSS. +- ``SameSite`` ensures that cookies can only be requested from the same domain that created them but this feature is not yet fully supported across all browsers. Example: .. sourcecode:: none + + Set-Cookie: [cookie-name]=[cookie-value] - Public-Key-Pins: pin-sha256="base64=="; max-age=expireTime [; includeSubDomains][; report-uri="reportURI"] +See also: -See also `Public Key Pinning `_. +- Mozilla guide to `HTTP cookies `_. +- `OWASP HTTP Only `_. From fcfd03146011dbb2ab77868b2f56374d51b39d56 Mon Sep 17 00:00:00 2001 From: Lowell Abbott Date: Thu, 25 May 2017 14:42:42 -0700 Subject: [PATCH 6/6] Add capitalize and other details --- docs/security.rst | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/docs/security.rst b/docs/security.rst index 59767139..5033ddda 100644 --- a/docs/security.rst +++ b/docs/security.rst @@ -108,13 +108,13 @@ arrays. Security Headers ---------------- -This section contains a list of headers supported by Flask. +This section contains a list of HTTP security headers supported by Flask. To configure HTTPS and handle the headers listed below we suggest the package `flask-talisman `_. HTTP Strict Transport Security (HSTS) ------------------------------------- -Redirects http requests to https on all urls, preventing Man-in-the-middle (MITM) attacks. +Redirects HTTP requests to HTTPS on all URLs, preventing man-in-the-middle (MITM) attacks. Example: @@ -129,7 +129,7 @@ See also `Strict Transport Security `_. -X-Frame-Options (Clickjacking protection) +X-Frame-Options (Clickjacking Protection) ----------------------------------------- Prevents the client from clicking page elements outside of the website, avoiding hijacking or UI redress attacks. @@ -166,7 +166,7 @@ See also `X-Content-Type-Options `_. -Cookie options +Cookie Options -------------- -While these headers are not directly security related, they have important options that may affect your flask application. +While these headers are not directly security related, they have important options that may affect your Flask application. - ``Secure`` limits your cookies to HTTPS traffic only. - ``HttpOnly`` protects the contents of your cookie from being visible to XSS.