Add security enhancements. See: https://blog.miguelgrinberg.com/post/cookie-security-for-flask-applications

2024-11-14 16:55:42 +00:00 · 2020-06-02 16:51:08 +02:00 · 2020-06-02 16:51:08 +02:00 · 4ac4fcb4ff
commit 4ac4fcb4ff
parent 9f62e782f0
4 changed files with 16 additions and 7 deletions
--- a/app/init.py
+++ b/app/init.py
@ -2,6 +2,7 @@ from config import config
 from flask import Flask
 from flask_login import LoginManager
 from flask_mail import Mail
+from flask_paranoid import Paranoid
 from flask_socketio import SocketIO
 from flask_sqlalchemy import SQLAlchemy
 import logging
@ -12,6 +13,8 @@ logger = logging.getLogger(__name__)
 login_manager = LoginManager()
 login_manager.login_view = 'auth.login'
 mail = Mail()
+paranoid = Paranoid()
+paranoid.redirect_view = '/'
 socketio = SocketIO()


@ -23,6 +26,7 @@ def create_app(config_name):
    db.init_app(app)
    login_manager.init_app(app)
    mail.init_app(app)
+    paranoid.init_app(app)
    socketio.init_app(app, message_queue='redis://redis:6379/')

    from . import events
--- a/config.py
+++ b/config.py
@ -6,6 +6,11 @@ import logging
 class Config:
    ''' ### Flask ### '''
    SECRET_KEY = os.environ.get('SECRET_KEY') or 'hard to guess string'
+    SESSION_COOKIE_SECURE = True
+
+    ''' ### Flask-Login ### '''
+    REMEMBER_COOKIE_HTTPONLY = True
+    REMEMBER_COOKIE_SECURE = True

    ''' ### Flask-Mail ### '''
    MAIL_SERVER = os.environ.get('MAIL_SERVER')
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -27,17 +27,16 @@ services:
      - "traefik.http.routers.nopaque.rule=Host(`nopaque.localhost`)"  # Change this to match your nopaque domain
      ### </http> ###
      ### <https> ###
-      - "traefik.http.middlewares.nopaquesecure-headers.headers.customrequestheaders.X-Forwarded-Proto=https"
-      - "traefik.http.routers.nopaquesecure.entrypoints=websecure"
-      - "traefik.http.routers.nopaquesecure.middlewares=nopaquesecure-headers"
-      - "traefik.http.routers.nopaquesecure.rule=Host(`nopaque.localhost`)"  # Change this to match your nopaque domain
-      - "traefik.http.routers.nopaquesecure.tls=true"
+      - "traefik.http.middlewares.nopaque-secure-headers.headers.customrequestheaders.X-Forwarded-Proto=https"
+      - "traefik.http.routers.nopaque-secure.entrypoints=web-secure"
+      - "traefik.http.routers.nopaque-secure.middlewares=nopaque-secure-headers"
+      - "traefik.http.routers.nopaque-secure.rule=Host(`nopaque.localhost`)"  # Change this to match your nopaque domain
+      - "traefik.http.routers.nopaque-secure.tls=true"
      ### </https> ###
      ### <basicauth help="https://docs.traefik.io/middlewares/basicauth/"> ###
      # - "traefik.http.middlewares.nopaque-basicauth.basicauth.users=name:hashed-password"
      # - "traefik.http.routers.nopaque.middlewares=nopaque-basicauth, nopaque-headers, nopaque-redirectscheme"
-      # - "traefik.http.middlewares.nopaquesecure-basicauth.basicauth.users=name:hashed-password"
-      # - "traefik.http.routers.nopaquesecure.middlewares=nopaquesecure-basicauth, nopaquesecure-headers"
+      # - "traefik.http.routers.nopaque-secure.middlewares=nopaque-basicauth, nopaquesecure-headers"
      ### </basicauth> ###
    networks:
      - default
--- a/requirements.txt
+++ b/requirements.txt
@ -5,6 +5,7 @@ Flask
 Flask-Login
 Flask-Mail
 Flask-Migrate
+Flask-Paranoid
 Flask-SocketIO
 Flask-SQLAlchemy
 Flask-Table