{ "info": { "author": "Jon Wayne Parrott", "author_email": "jonwayne@google.com", "bugtrack_url": null, "classifiers": [ "Development Status :: 3 - Alpha", "Intended Audience :: Developers", "License :: OSI Approved :: Apache Software License", "Operating System :: MacOS", "Operating System :: POSIX", "Operating System :: Unix", "Programming Language :: Python", "Programming Language :: Python :: 2", "Programming Language :: Python :: 2.7", "Programming Language :: Python :: 3", "Programming Language :: Python :: 3.4", "Programming Language :: Python :: 3.5", "Topic :: Software Development :: Libraries :: Python Modules" ], "description": "Talisman: HTTP security headers for Flask\r\n=========================================\r\n\r\n|Build Status| |Coverage Status| |PyPI Version|\r\n\r\nTalisman is a small Flask extension that handles setting HTTP headers\r\nthat can help protect against a few common web application security\r\nissues.\r\n\r\nThe default configuration:\r\n\r\n- Forces all connects to ``https``, unless running with debug enabled.\r\n- Enables `HTTP Strict Transport\r\n Security `__.\r\n- Enables HSTS preloading. If you register your application with\r\n `Google's HSTS preload list `__,\r\n Firefox and Chrome will never load your site over a non-secure\r\n connection.\r\n- Sets Flask's session cookie to ``secure``, so it will never be set if\r\n you application is somehow accessed via a non-secure connection.\r\n- Sets Flask's session cookie to ``httponly``, preventing JavaScript\r\n from being able to access its content. CSRF via Ajax uses a separate\r\n cookie and should be unaffected.\r\n- Sets\r\n `X-Frame-Options `__\r\n to ``SAMEORIGIN`` to avoid\r\n `clickjacking `__.\r\n- Sets a strict `Content Security\r\n Policy `__\r\n of ``default-src: 'self'``. This is intended to almost completely\r\n prevent Cross Site Scripting (XSS) attacks. This is probably the only\r\n setting that you should reasonably change. See the `section\r\n below <#content-security-policy>`__ on configuring this.\r\n\r\nIn addition to Talisman, you **should always use a cross-site request\r\nforgery (CSRF) library**. I highly recommend\r\n`Flask-SeaSurf `__,\r\nwhich is based on Django's excellent library.\r\n\r\nInstallation & Basic Usage\r\n--------------------------\r\n\r\nInstall via `pip `__:\r\n\r\n::\r\n\r\n pip install talisman\r\n\r\n\r\n.. code:: python\r\n\r\n from flask import Flask\r\n from talisman import Talisman\r\n\r\n app = Flask(__name__)\r\n Talisman(app)\r\n\r\n\r\nThere is also a full `Example App `__.\r\n\r\nOptions\r\n-------\r\n\r\n- ``force_https``, default ``True``, forces all non-debug connects to\r\n ``https``.\r\n- ``force_https_permanent``, default ``False``, uses ``301`` instead of\r\n ``302`` for ``https`` redirects.\r\n- ``frame_options``, default ``SAMEORIGIN``, can be ``SAMEORIGIN``,\r\n ``DENY``, or ``ALLOWFROM``.\r\n- ``frame_options_allow_from``, default ``None``, a string indicating\r\n the domains that arrow allowed to embed the site via iframe.\r\n- ``strict_transport_security``, default ``True``, whether to send HSTS\r\n headers.\r\n- ``strict_transport_security_max_age``, default ``ONE_YEAR_IN_SECS``,\r\n length of time the browser will respect the HSTS header.\r\n- ``strict_transport_security_include_subdomains``, default ``True``,\r\n whether subdomains should also use HSTS.\r\n- ``content_security_policy``, default ``default-src: 'self'``, see the\r\n `section below <#content-security-policy>`__.\r\n- ``session_cookie_secure``, default ``True``, set the session cookie\r\n to ``secure``, preventing it from being sent over plain ``http``.\r\n- ``session_cookie_http_only``, default ``True``, set the session\r\n cookie to ``httponly``, preventing it from being read by JavaScript.\r\n\r\nPer-view options\r\n~~~~~~~~~~~~~~~~\r\n\r\nSometimes you want to change the policy for a specific view. The\r\n``frame_options``, ``frame_options_allow_from``, and\r\n``content_security_policy`` options can be changed on a per-view basis.\r\n\r\n.. code:: python\r\n\r\n from flask import Flask\r\n from talisman import Talisman, ALLOW_FROM\r\n\r\n app = Flask(__name__)\r\n talisman = Talisman(app)\r\n\r\n @app.route('/normal')\r\n def normal():\r\n return 'Normal'\r\n\r\n @app.route('/embeddable')\r\n @talisman(frame_options=ALLOW_FROM, frame_options_allow_from='*')\r\n def embeddable():\r\n return 'Embeddable'\r\n\r\nContent Security Policy\r\n-----------------------\r\n\r\nThe default content security policy is extremely strict, and will\r\nprevent loading any resources that are not in the same domain as the\r\napplication.\r\n\r\nA slightly more permissive policy is available at\r\n``talisman.GOOGLE_CSP_POLICY``, which allows loading Google-hosted JS\r\nlibraries, fonts, and embeding media from YouTube and Maps.\r\n\r\nYou can and should create your own policy to suit your site's needs.\r\nHere's a few examples adapted from\r\n`MDN `__:\r\n\r\nExample 1\r\n~~~~~~~~~\r\n\r\nThis is the default policy. A web site administrator wants all content\r\nto come from the site's own origin (this excludes subdomains.)\r\n\r\n.. code:: python\r\n\r\n csp = {\r\n 'default-src': '\\'self\\''\r\n }\r\n\r\nExample 2\r\n~~~~~~~~~\r\n\r\nA web site administrator wants to allow content from a trusted domain\r\nand all its subdomains (it doesn't have to be the same domain that the\r\nCSP is set on.)\r\n\r\n.. code:: python\r\n\r\n csp = {\r\n 'default-src': [\r\n '\\'self\\'',\r\n '*.trusted.com'\r\n ]\r\n }\r\n\r\nExample 3\r\n~~~~~~~~~\r\n\r\nA web site administrator wants to allow users of a web application to\r\ninclude images from any origin in their own content, but to restrict\r\naudio or video media to trusted providers, and all scripts only to a\r\nspecific server that hosts trusted code.\r\n\r\n.. code:: python\r\n\r\n csp = {\r\n 'default-src': '\\'self\\'',\r\n 'image-src': '*',\r\n 'media-src': [\r\n 'media1.com',\r\n 'media2.com',\r\n ],\r\n 'script-src': 'userscripts.example.com'\r\n }\r\n\r\nHere, by default, content is only permitted from the document's origin,\r\nwith the following exceptions:\r\n\r\n- Images may loaded from anywhere (note the ``*`` wildcard).\r\n- Media is only allowed from media1.com and media2.com (and not from\r\n subdomains of those sites).\r\n- Executable script is only allowed from userscripts.example.com.\r\n\r\nExample 4\r\n~~~~~~~~~\r\n\r\nA web site administrator for an online banking site wants to ensure that\r\nall its content is loaded using SSL, in order to prevent attackers from\r\neavesdropping on requests.\r\n\r\n.. code:: python\r\n\r\n csp = {\r\n 'default-src': 'https://onlinebanking.jumbobank.com'\r\n }\r\n\r\nThe server only permits access to documents being loaded specifically\r\nover HTTPS through the single origin onlinebanking.jumbobank.com.\r\n\r\nExample 5\r\n~~~~~~~~~\r\n\r\nA web site administrator of a web mail site wants to allow HTML in\r\nemail, as well as images loaded from anywhere, but not JavaScript or\r\nother potentially dangerous content.\r\n\r\n.. code:: python\r\n\r\n csp = {\r\n 'default-src': [\r\n '\\'self\\'',\r\n '*.mailsite.com',\r\n ],\r\n 'img-src': '*'\r\n }\r\n\r\nNote that this example doesn't specify a ``script-src``; with the\r\nexample CSP, this site uses the setting specified by the ``default-src``\r\ndirective, which means that scripts can be loaded only from the\r\noriginating server.\r\n\r\nDisclaimer\r\n----------\r\n\r\nThis is not an official Google product, experimental or otherwise.\r\n\r\nThere is no silver bullet for web application security. Talisman can\r\nhelp, but security is more than just setting a few headers. Any\r\npublic-facing web application should have a comprehensive approach to\r\nsecurity.\r\n\r\n\r\nContributing changes\r\n--------------------\r\n\r\n- See `CONTRIBUTING.md`_\r\n\r\nLicensing\r\n---------\r\n\r\n- Apache 2.0 - See `LICENSE`_\r\n\r\n.. _LICENSE: https://github.com/GoogleCloudPlatform/flask-talisman/blob/master/LICENSE\r\n.. _CONTRIBUTING.md: https://github.com/GoogleCloudPlatform/flask-talisman/blob/master/CONTRIBUTING.md\r\n.. |Build Status| image:: https://travis-ci.org/GoogleCloudPlatform/flask-talisman.svg\r\n :target: https://travis-ci.org/GoogleCloudPlatform/flask-talisman\r\n.. |Coverage Status| image:: https://coveralls.io/repos/GoogleCloudPlatform/flask-talisman/badge.svg\r\n :target: https://coveralls.io/r/GoogleCloudPlatform/flask-talisman\r\n.. |PyPI Version| image:: https://img.shields.io/pypi/v/talisman.svg\r\n :target: https://pypi.python.org/pypi/talisman", "description_content_type": null, "docs_url": null, "download_url": "", "downloads": { "last_day": -1, "last_month": -1, "last_week": -1 }, "home_page": "https://github.com/GoogleCloudPlatform/flask-talisman", "keywords": "flask security https xss", "license": "Apache Software License", "maintainer": "", "maintainer_email": "", "name": "talisman", "package_url": "https://pypi.org/project/talisman/", "platform": "UNKNOWN", "project_url": "https://pypi.org/project/talisman/", "project_urls": { "Homepage": "https://github.com/GoogleCloudPlatform/flask-talisman" }, "release_url": "https://pypi.org/project/talisman/0.1.0/", "requires_dist": null, "requires_python": null, "summary": "HTTP security headers for Flask.", "version": "0.1.0" }, "last_serial": 4027662, "releases": { "0.1.0": [ { "comment_text": "", "digests": { "md5": "32531275bf5d204d71175c60470c6046", "sha256": "0128ea74b31827a67a4d6e0eb842066193c60f4f90675ec3a64850000a3a3402" }, "downloads": -1, "filename": "talisman-0.1.0-py2.py3-none-any.whl", "has_sig": false, "md5_digest": "32531275bf5d204d71175c60470c6046", "packagetype": "bdist_wheel", "python_version": "py2.py3", "requires_python": null, "size": 13174, "upload_time": "2015-11-13T18:19:06", "url": "https://files.pythonhosted.org/packages/69/f9/1d0d75804f4eb5a6d0f3b9d46f4248f403fa7dc4e72060bda4b0ef65614d/talisman-0.1.0-py2.py3-none-any.whl" }, { "comment_text": "", "digests": { "md5": "a6c0a401ee46d8fb603a9b7c3f571313", "sha256": "bd394d0f2d7926a838acaa066457c20878e31f2aaf539f5c5529ded1887b3fa8" }, "downloads": -1, "filename": "talisman-0.1.0.tar.gz", "has_sig": false, "md5_digest": "a6c0a401ee46d8fb603a9b7c3f571313", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 10123, "upload_time": "2015-11-13T18:19:15", "url": "https://files.pythonhosted.org/packages/28/36/9e956917b35eca994d24f5e1d53444369df8144d4e35bc69aceaa2aeb668/talisman-0.1.0.tar.gz" } ] }, "urls": [ { "comment_text": "", "digests": { "md5": "32531275bf5d204d71175c60470c6046", "sha256": "0128ea74b31827a67a4d6e0eb842066193c60f4f90675ec3a64850000a3a3402" }, "downloads": -1, "filename": "talisman-0.1.0-py2.py3-none-any.whl", "has_sig": false, "md5_digest": "32531275bf5d204d71175c60470c6046", "packagetype": "bdist_wheel", "python_version": "py2.py3", "requires_python": null, "size": 13174, "upload_time": "2015-11-13T18:19:06", "url": "https://files.pythonhosted.org/packages/69/f9/1d0d75804f4eb5a6d0f3b9d46f4248f403fa7dc4e72060bda4b0ef65614d/talisman-0.1.0-py2.py3-none-any.whl" }, { "comment_text": "", "digests": { "md5": "a6c0a401ee46d8fb603a9b7c3f571313", "sha256": "bd394d0f2d7926a838acaa066457c20878e31f2aaf539f5c5529ded1887b3fa8" }, "downloads": -1, "filename": "talisman-0.1.0.tar.gz", "has_sig": false, "md5_digest": "a6c0a401ee46d8fb603a9b7c3f571313", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 10123, "upload_time": "2015-11-13T18:19:15", "url": "https://files.pythonhosted.org/packages/28/36/9e956917b35eca994d24f5e1d53444369df8144d4e35bc69aceaa2aeb668/talisman-0.1.0.tar.gz" } ] }