Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Merge pull request #22 from Demindiro/security-fixes
  • Loading branch information
Demindiro committed Feb 1, 2023
2 parents 9b63006 + a372d7d commit 09f56bd
Show file tree
Hide file tree
Showing 2 changed files with 15 additions and 1 deletion.
4 changes: 3 additions & 1 deletion Makefile
Expand Up @@ -4,7 +4,7 @@ SQLITE = sqlite3

default: venv

test:: venv
test: venv
test/all.sh

venv:
Expand All @@ -13,3 +13,5 @@ venv:

forum.db:
$(SQLITE) $@ < schema.txt

.PHONY: test
12 changes: 12 additions & 0 deletions main.py
Expand Up @@ -14,6 +14,11 @@
app = Flask(__name__)
db = DB(os.getenv('DB'))

# This defaults to None, which allows CSRF attacks in FireFox
# and older versions of Chrome.
# 'Lax' is sufficient to prevent malicious POST requests.
app.config['SESSION_COOKIE_SAMESITE'] = 'Lax'

class Config:
pass
config = Config()
Expand All @@ -28,6 +33,13 @@ class Role:
MODERATOR = 1
ADMIN = 2

@app.after_request
def after_request(response):
# This forbids other sites from embedding this site in an iframe,
# preventing clickjacking attacks.
response.headers['X-Frame-Options'] = 'DENY'
return response

@app.route('/')
def index():
return render_template(
Expand Down

0 comments on commit 09f56bd

Please sign in to comment.