Package: python3-flask-talisman (1.1.0-2)

HTTP security headers for Flask

Talisman is a small Flask extension that handles setting HTTP headers that can help protect against a few common web application security issues.

The default configuration:

 * Forces all connects to https, unless running with debug enabled.
 * Enables HTTP Strict Transport Security.
 * Sets Flask's session cookie to secure, so it will never be set if your
   application is somehow accessed via a non-secure connection.
 * Sets Flask's session cookie to httponly, preventing JavaScript from being
   able to access its content. CSRF via Ajax uses a separate cookie and should
   be unaffected.
 * Sets X-Frame-Options to SAMEORIGIN to avoid clickjacking.
 * Sets X-XSS-Protection to enable a cross site scripting filter for IE and
   Safari (note Chrome has removed this and Firefox never supported it).
 * Sets X-Content-Type-Options to prevent content type sniffing.
 * Sets a strict Content Security Policy of default-src: 'self'. This is
   intended to almost completely prevent Cross Site Scripting (XSS) attacks.
   This is probably the only setting that you should reasonably change. See
   the Content Security Policy section.
 * Sets a strict Referrer-Policy of strict-origin-when-cross-origin that
   governs which referrer information should be included with requests made.

This page is also available in the following languages (How to set the default document language):