Security is extremely important when working with apps on the internet. Below we consider some ways of making our Flask applications more secure. We will be following along [IBM Labs](https://labs.cognitiveclass.ai/v2/tools/cloud-ide-kubernetes?ulid=ulid-adcd5106c64d2cc2f9811588d46d9c7a82f7b4df).

## Talisman

### Don't 
This application simply sends back a static HTML page called index.html from the root / URL.

```python
from flask import Flask

app = Flask(__name__)

@app.route('/', methods=['GET'])
def index():
    """Base URL for our service"""
    return app.send_static_file("index.html")
```

### Do

In [1]:
from flask import Flask
from flask_talisman import Talisman

app = Flask(__name__)
# Create a content security policy and apply it
csp = {
    'default-src': '\'self\''
}
talisman = Talisman(app, content_security_policy=csp)

@app.route('/', methods=['GET'])
def index():
    """Base URL for our service"""
    return app.send_static_file("index.html")

This version of the application uses `Flask-Talisman` to add security headers that reject loading content from other sites.

If someone attempts a script injection attack that tries to load content from outside of the original Web site, it will be blocked by the security policy. Under this, you cannot have things like libraries, images, and fonts on your Web site that are loaded from other site.

Talisman also ensures that your domain uses HTTPS instead of HTTP.

## Cross Origin Resource Sharing (CORS)
Works by blocking all requests from origins that are not specifically allowed to have access to a given resource.

### Do

In [None]:
from flask_cors import CORS

app = Flask(__name__)

# Enable Cross Origin Resource Sourcing (CORS) policies
CORS(app, resources={"/*": {"origins": "http://localhost:3000"}})