Add secure headers using flask-talisman

2025-07-03 14:03:18 -04:00 · 2025-07-03 14:03:18 -04:00 · 3ca04816eb
parent ae66bf0193
commit 3ca04816eb
2 changed files with 49 additions and 1 deletions
--- a/docker/ploughshares/app.py
+++ b/docker/ploughshares/app.py
@ -6,6 +6,7 @@ from werkzeug.utils import secure_filename
 from datetime import datetime
 import locale
 import logging
+from flask_talisman import Talisman

 # Configure logging
 logging.basicConfig(
@ -35,6 +36,52 @@ app.secret_key = 'supersecretkey'
 app.config['UPLOAD_FOLDER'] = 'uploads'
 app.config['VERSION'] = VERSION

+# Configure security headers with Talisman
+csp = {
+    'default-src': "'none'",
+    'script-src': ["'self'", 
+                   "'sha256-ryQsJ+aghKKD/CeXgx8jtsnZT3Epp3EjIw8RyHIq544='", 
+                   "'sha256-anTkUs/oFZJulKUMaMjZlwaALEmPOP8op0psAo5Bhh8='", 
+                   "'sha256-BASkmAmg7eoYCMd6odA6kQ8yGsFnoxaX48WbQvMkehs='"],
+    'style-src': ["'self'", "'sha256-Mo+7o3oPEKpX7fqRvTtunvQHlIDhJ0SxAMG1PCNniCI='"],
+    'img-src': ["'self'", "data:"],
+    'font-src': ["'self'", "data:"],
+    'connect-src': "'self'",
+    'object-src': "'none'",
+    'frame-ancestors': "'none'",
+    'base-uri': "'none'",
+    'form-action': "'self'"
+}
+
+permissions_policy = {
+    'accelerometer': '()',
+    'camera': '()',
+    'geolocation': '()',
+    'gyroscope': '()',
+    'magnetometer': '()',
+    'microphone': '()',
+    'payment': '()',
+    'usb': '()'
+}
+
+# Initialize Talisman
+talisman = Talisman(
+    app,
+    content_security_policy=csp,
+    content_security_policy_nonce_in=['script-src'],
+    feature_policy=permissions_policy,
+    force_https=True,
+    force_https_permanent=True,
+    strict_transport_security=True,
+    strict_transport_security_preload=True,
+    strict_transport_security_max_age=31536000,
+    strict_transport_security_include_subdomains=True,
+    referrer_policy='strict-origin-when-cross-origin',
+    frame_options='DENY',
+    session_cookie_secure=True,
+    session_cookie_http_only=True
+)
+
 # Set locale for currency formatting
 try:
    locale.setlocale(locale.LC_ALL, 'en_US.UTF-8')
--- a/docker/ploughshares/requirements.txt
+++ b/docker/ploughshares/requirements.txt
@ -7,4 +7,5 @@ Werkzeug==3.1.0
 Jinja2==3.1.6
 MarkupSafe==2.1.3
 itsdangerous==2.2.0
-click==8.1.7 
+click==8.1.7
+flask-talisman==1.0.0