Security meta issue #208

sumanthratna · 2020-07-20T02:07:08Z

force HTTPS, HSTS, only use cookies on secure connections, disable cookie access from JS, ~~clickjacking prevention~~, XSS protection, CSP
- https://github.com/GoogleCloudPlatform/flask-talisman
- I think clickjacking prevention only works with sites that will never be embedded into an iframe
set CORS on every single page
- https://flask-cors.readthedocs.io/en/latest/
use CSRF for every single form (admin signup, admin login, user form)
- https://flask-seasurf.readthedocs.io/en/latest/
settings: SESSION_COOKIE_SECURE, SESSION_COOKIE_SAMESITE, PREFERRED_URL_SCHEME,

The text was updated successfully, but these errors were encountered:

rau · 2020-07-24T02:02:15Z

For CSRF, seasurf is no longer maintained - lets use Flask-WTF instead: https://flask-wtf.readthedocs.io/en/stable/csrf.html

sumanthratna added enhancement New feature or request priority To be addressed as soon as possible labels Jul 20, 2020

sumanthratna changed the title ~~CSRF and CORS~~ Security meta issue Jul 20, 2020

sumanthratna self-assigned this Jul 20, 2021

sumanthratna pinned this issue Jul 20, 2021

sumanthratna added a commit that referenced this issue Aug 1, 2021

Add CSRF protection

76f077b

#208

Provide feedback