Talisman is a small Flask extension that handles setting HTTP headers that can
help protect against a few common web application security issues.
.
The default configuration:
.
* Forces all connects to https, unless running with debug enabled.
* Enables HTTP Strict Transport Security.
* Sets Flask's session cookie to secure, so it will never be set if your
application is somehow accessed via a non-secure connection.
* Sets Flask's session cookie to httponly, preventing JavaScript from being
able to access its content. CSRF via Ajax uses a separate cookie and should
be unaffected.
* Sets X-Frame-Options to SAMEORIGIN to avoid clickjacking.
* Sets X-XSS-Protection to enable a cross site scripting filter for IE and
Safari (note Chrome has removed this and Firefox never supported it).
* Sets X-Content-Type-Options to prevent content type sniffing.
* Sets a strict Content Security Policy of default-src: 'self'. This is
intended to almost completely prevent Cross Site Scripting (XSS) attacks.
This is probably the only setting that you should reasonably change. See
the Content Security Policy section.
* Sets a strict Referrer-Policy of strict-origin-when-cross-origin that
governs which referrer information should be included with requests made.
Installed Size: 81.9 kB
Architectures: all