Flask Security with Talisman

Last Updated : 24 Aug, 2023

A Flask is a powerful web framework which basically used for developing interesting web applications in the Python language. While developing this kind of web application with the help of Flask, it is more important to make sure that the security of our application is strong for that the talisman comes in. Talisman is basically a Flask extension that is used to add HTTP security headers to our Flask application with easy implementation, which will help us to protect the app against common web attacks that lead to disturbances in our application security.

Key Terminologies

There are some key terminology for implementing talisman in our application are as follows:

HTTP Security Headers: The HTTP Security headers are the additional information sent by the server to the client side, which will simply help to protect our app against web attacks.
Flask: It is a Python web framework used in the development of web applications.
Talisman: Talisman is a Flask extension that will be used in the addition of HTTP security headers to our Flask application with its internal functionalities.

Required Modules

pip install Flask
pip install Flask-Talisman

Steps to Create Flask Talisman Application

Step 1: Import Talisman

After step one, we have now successfully installed Talisman to our system, Now to use it in our web application we need to import it into our Flask application as given below.

Python3

from flask import Flask
from flask_talisman import Talisman
 
app = Flask(__name__)
talisman = Talisman(app)

Step 2: Configure Talisman

Now we have our imported Talisman extension in our web app, Now to know that our import is working we need to configure Talisman by setting up the HTTP security headers. We can do this by simply adding the following code to the Flask application.

Python3

csp = {
    'default-src': [
        '\'self\'',
        'https://code.jquery.com',
        'https://cdn.jsdelivr.net'
    ]
}
# HTTP Strict Transport Security (HSTS) Header
hsts = {
    'max-age': 31536000,
    'includeSubDomains': True
}
# Enforce HTTPS and other headers
talisman.force_https = True
talisman.force_file_save = True
talisman.x_xss_protection = True
talisman.session_cookie_secure = True
talisman.session_cookie_samesite = 'Lax'
talisman.frame_options_allow_from = 'https://www.google.com'
 
# Add the headers to Talisman
talisman.content_security_policy = csp
talisman.strict_transport_security = hsts

Step 3: Run the Flask Application

Now it’s almost done, to complete the application we can run our Flask application and then perform some testing on it in the browser. For that purpose, we can use the Developer Tools which is provided by the browser for the verification of HTTP security headers. In Google Chrome, we can do this by simply opening the Developer Tools and then selecting the Network tab. After that, we can select a request and then immediately view the Response Headers to see the HTTP security headers.

Complete Code :

Python3

from flask import Flask
from flask_talisman import Talisman
 
app = Flask(__name__)
talisman = Talisman(app)
 
# Content Security Policy (CSP) Header
csp = {
    'default-src': [
        '\'self\'',
        'https://code.jquery.com',
        'https://cdn.jsdelivr.net'
    ]
}
# HTTP Strict Transport Security (HSTS) Header
hsts = {
    'max-age': 31536000,
    'includeSubDomains': True
}
# Enforce HTTPS and other headers
talisman.force_https = True
talisman.force_file_save = True
talisman.x_xss_protection = True
talisman.session_cookie_secure = True
talisman.session_cookie_samesite = 'Lax'
talisman.frame_options_allow_from = 'https://www.google.com'
 
# Add the headers to Talisman
talisman.content_security_policy = csp
talisman.strict_transport_security = hsts
 
@app.route('/')
def index():
    return 'Hello, World!'
 
if __name__ == '__main__':
    app.run()