out option in docs to security group and add reason for using it

Signed-off-by: Nicolas Höning <nicolas@seita.nl>
FlexMeasures · Dec 11, 2023 · 0e3103b · 0e3103b
1 parent fa345ca
commit 0e3103b
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 9 deletions.
diff --git a/documentation/configuration.rst b/documentation/configuration.rst
@@ -235,12 +235,6 @@ FLEXMEASURES_JS_VERSIONS
 
 Default: ``{"vega": "5.22.1", "vegaembed": "6.20.8", "vegalite": "5.2.0"}``
 
-FLEXMEASURES_ENFORCE_SECURE_CONTENT_POLICY
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-
-When ``FLEXMEASURES_ENFORCE_SECURE_CONTENT_POLICY`` is set to ``True``, the ``<meta>`` tag with the ``Content-Security-Policy`` directive, specifically ``upgrade-insecure-requests``, is included in the HTML head. This directive instructs the browser to upgrade insecure requests from ``http`` to ``https``, promoting a more secure browsing experience.
-
-Default: ``False``
 
 Timing
 ------
@@ -390,7 +384,9 @@ You can use this setting to overwrite that URI and point the tests to an (empty)
 Security
 --------
 
-This is only a selection of the most important settings.
+Settings to ensure secure handling of credentials and data.
+
+For Flask-Security and Flask-Cors (setting names start with "SECURITY" or "CORS"), this is only a selection of the most important settings.
 See `the Flask-Security Docs <https://flask-security-too.readthedocs.io/en/stable/configuration.html>`_ as well as the `Flask-CORS docs <https://flask-cors.readthedocs.io/en/latest/configuration.html>`_ for all possibilities.
 
 SECRET_KEY (**)
@@ -459,6 +455,13 @@ Allows users to make authenticated requests. If true, injects the Access-Control
 Default: ``True``
 
 
+FLEXMEASURES_ENFORCE_SECURE_CONTENT_POLICY
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+When ``FLEXMEASURES_ENFORCE_SECURE_CONTENT_POLICY`` is set to ``True``, the ``<meta>`` tag with the ``Content-Security-Policy`` directive, specifically ``upgrade-insecure-requests``, is included in the HTML head. This directive instructs the browser to upgrade insecure requests from ``http`` to ``https``. One example of a use case for this is if you have a load balancer in front of FlexMeasures, which is secured with a certificate and only accepts https.
+
+Default: ``False``
+
 
 .. _mail-config:
 

diff --git a/requirements/3.10/app.txt b/requirements/3.10/app.txt
@@ -327,7 +327,9 @@ tabulate==0.9.0
 threadpoolctl==3.2.0
     # via scikit-learn
 timely-beliefs[forecast]==1.22.0
-    # via -r requirements/app.in
+    # via
+    #   -r requirements/app.in
+    #   timely-beliefs
 timetomodel==0.7.3
     # via -r requirements/app.in
 tldextract==3.5.0

diff --git a/requirements/3.10/test.txt b/requirements/3.10/test.txt
@@ -21,7 +21,9 @@ click==8.1.7
     #   -c requirements/3.10/app.txt
     #   flask
 coverage[toml]==7.3.1
-    # via pytest-cov
+    # via
+    #   coverage
+    #   pytest-cov
 exceptiongroup==1.1.3
     # via pytest
 fakeredis==2.18.1