From 8459cedaa94445fd17b223aed16312f5da2f76ac Mon Sep 17 00:00:00 2001 From: Lowell Abbott Date: Mon, 22 May 2017 20:52:02 -0700 Subject: [PATCH] Add security headers notes --- docs/security.rst | 127 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 127 insertions(+) diff --git a/docs/security.rst b/docs/security.rst index ad0d1244..914dd92a 100644 --- a/docs/security.rst +++ b/docs/security.rst @@ -104,3 +104,130 @@ vulnerabilities `_, so this behavior was changed and :func:`~flask.jsonify` now supports serializing arrays. + + +SSL/HTTPS +--------- + +For implementing HTTPS on your server + +Below some packages in suggestion order that implements this protocol: + +* `flask-talisman `_ +* `flask-sslify `_ +* `flask-secure-headers `_ + +Security Headers +---------------- + +This sections contains sections headers supported by Flask and a list of packages in suggestion order that implements it + +`Content Security Policy `_ (CSP) +----------------------------------------------------------------------------- + +For enhancing security and preventing common web vulnerabilities such as cross-site scripting and MITM related attacks + +Example + +.. sourcecode:: html + + Content-Security-Policy: default-src https:; script-src 'nonce-{random}'; object-src 'none' + + +To learn more check `this `_ + +* `flask-talisman `_ +* `flask-csp `_ +* `flask-secure-headers `_ + +`HTTP Strict Transport Security `_ (HSTS) +------------------------------------------------------------------------------------------------------------------------------ + + +For automatically redirect HTTP to HTTPS on all the website url's and prevent MITM attacks + +Example + +.. sourcecode:: html + + Strict-Transport-Security: max-age=; includeSubDomains + Strict-Transport-Security: max-age=; preload + +To learn more check `this `_ + + +* `flask-talisman `_ +* `flask-sslify `_ +* `flask-secure-headers `_ + +`X-FRAME-OPTIONS `_ (Clickjacking protection) +------------------------------------------------------------------------------------------------------------------------- +Prevents the client clicking page elements outside of the website avoiding hijacking or UI redress attacks + + +.. sourcecode:: html + + X-Frame-Options: DENY + X-Frame-Options: SAMEORIGIN + X-Frame-Options: ALLOW-FROM https://example.com/ + +To learn more check `this `_ + +* `flask-talisman `_ +* `flask-secure-headers `_ + +`X-Content-Type-Options `_ +------------------------------------------------------------------------------------------------------------- + +Prevents XSS by blocking requests on clients and forcing then to read the content type instead of first opening it. + +.. sourcecode:: html + + X-Content-Type-Options: nosniff + +To learn more check `this `_ + + +* `flask-talisman `_ +* `flask-secure-headers `_ + +`Cookie options `_ +---------------------------------------------------------------------------------------------------------- + +For setting cookies on client-side storage + +Example + +.. sourcecode:: html + + Set-Cookie: [cookie-name]=[cookie-value] + +To learn more check `this `_ + +* `flask-talisman `_ +* `flask-secure-headers `_ + +`HTTP Public Key Pinning `_ (HPKP) +------------------------------------------------------------------------------------------------------- + +For associating clients with web servers throught a certificate key and prevent MITM attacks + +Example + +.. sourcecode:: html + + Public-Key-Pins: pin-sha256="base64=="; max-age=expireTime [; includeSubDomains][; report-uri="reportURI"] + +To learn more check `this `_ + +* `flask-talisman `_ +* `flask-secure-headers `_ + +References: +----------- + +* https://docs.djangoproject.com/en/1.11/topics/security/ +* https://blog.appcanary.com/2017/http-security-headers.html +* https://developer.mozilla.org +* https://csp.withgoogle.com/docs/index.html