diff --git a/docs/security.rst b/docs/security.rst index b6c234b6..120600cc 100644 --- a/docs/security.rst +++ b/docs/security.rst @@ -105,49 +105,33 @@ vulnerabilities this behavior was changed and :func:`~flask.jsonify` now supports serializing arrays. - -SSL/HTTPS ---------- - -For implementing HTTPS on your server. - -Below are some packages that implement this protocol: - -* `flask-talisman `_ -* `flask-sslify `_ -* `flask-secure-headers `_ - Security Headers ---------------- -This section contains a list of headers supported by Flask and some packages that implements them. +This section contains a list of headers supported by Flask. +To configure HTTPS and handle the headers listed below we suggest the package `flask-talisman `. Content Security Policy (CSP) ------------------------------------------------------------------------------ +----------------------------- Enhance security and prevents common web vulnerabilities such as cross-site scripting and MITM related attacks. Example: -.. sourcecode:: html +.. sourcecode:: none Content-Security-Policy: default-src https:; script-src 'nonce-{random}'; object-src 'none' - See also `Content Security Policy `_. -* `flask-talisman `_ -* `flask-csp `_ -* `flask-secure-headers `_ - HTTP Strict Transport Security (HSTS) ------------------------------------------------------------------------------------------------------------------------------- +------------------------------------- Redirects http requests to https on all urls, preventing MITM attacks. Example: -.. sourcecode:: html +.. sourcecode:: none Strict-Transport-Security: max-age=; includeSubDomains @@ -155,16 +139,12 @@ Example: See also `Strict Transport Security `_. -* `flask-talisman `_ -* `flask-sslify `_ -* `flask-secure-headers `_ - X-FRAME-OPTIONS (Clickjacking protection) -------------------------------------------------------------------------------------------------------------------------- +----------------------------------------- Prevents the client from clicking page elements outside of the website, avoiding hijacking or UI redress attacks. -.. sourcecode:: html +.. sourcecode:: none X-Frame-Options: DENY X-Frame-Options: SAMEORIGIN @@ -172,59 +152,39 @@ Prevents the client from clicking page elements outside of the website, avoiding See also `X-Frame-Options `_. -* `flask-talisman `_ -* `flask-secure-headers `_ - X-Content-Type-Options -------------------------------------------------------------------------------------------------------------- +---------------------- Prevents XSS by blocking requests on clients and forcing them to read the content type instead of first opening it. -.. sourcecode:: html +.. sourcecode:: none X-Content-Type-Options: nosniff See also `X-Content-Type-Options `_. -* `flask-talisman `_ -* `flask-secure-headers `_ - Cookie options ----------------------------------------------------------------------------------------------------------- +-------------- For setting cookies on client-side storage. Example: -.. sourcecode:: html +.. sourcecode:: none Set-Cookie: [cookie-name]=[cookie-value] See also `HTTP cookies `_ . -* `flask-talisman `_ -* `flask-secure-headers `_ - HTTP Public Key Pinning (HPKP) -------------------------------------------------------------------------------------------------------- +------------------------------ For associating clients with web servers through a certificate key and prevent MITM attacks. Example: -.. sourcecode:: html +.. sourcecode:: none Public-Key-Pins: pin-sha256="base64=="; max-age=expireTime [; includeSubDomains][; report-uri="reportURI"] See also `Public Key Pinning `_. - -* `flask-talisman `_ -* `flask-secure-headers `_ - -References ------------ - -* https://docs.djangoproject.com/en/1.11/topics/security/ -* https://blog.appcanary.com/2017/http-security-headers.html -* https://developer.mozilla.org -* https://csp.withgoogle.com/docs/index.html