### Install Flask-Talisman Python Package Source: https://github.com/googlecloudplatform/flask-talisman/blob/master/README.rst This command installs the Flask-Talisman library using pip, the Python package installer. It makes the extension available for use in your Flask projects. ```shell pip install flask-talisman ``` -------------------------------- ### Content Security Policy: Trusted Domain and Subdomains Source: https://github.com/googlecloudplatform/flask-talisman/blob/master/README.rst Shows how to configure CSP to allow content from a trusted domain and all its subdomains. This example expands the `default-src` directive to include `'self'` and a wildcard for a trusted domain. ```python csp = { 'default-src': [ '\'self\'', '*.trusted.com' ] } ``` -------------------------------- ### Set CSP Directives via Environment Variable (Bash) Source: https://github.com/googlecloudplatform/flask-talisman/blob/master/README.rst This Bash command exports a Content Security Policy (CSP) string to the `CSP_DIRECTIVES` environment variable. This allows the policy to be configured externally, for example, before running a Flask application that uses Flask-Talisman to apply security headers. ```bash export CSP_DIRECTIVES="default-src 'self'; image-src *" python app.py ``` -------------------------------- ### Content Security Policy: HTTPS Only for Specific Origin Source: https://github.com/googlecloudplatform/flask-talisman/blob/master/README.rst An example CSP for an online banking site, enforcing that all content must be loaded over HTTPS from a single, specific origin. This policy helps prevent eavesdropping and ensures secure communication. ```python csp = { 'default-src': 'https://onlinebanking.jumbobank.com' } ``` -------------------------------- ### Initialize Flask-Talisman with CSP from Environment (Python) Source: https://github.com/googlecloudplatform/flask-talisman/blob/master/README.rst This Python snippet demonstrates how to initialize `Flask-Talisman` within a Flask application. It retrieves the Content Security Policy (CSP) directives from the `CSP_DIRECTIVES` environment variable, falling back to `DEFAULT_CSP_POLICY` if the variable is not set. This allows dynamic CSP configuration. ```python import os from flask_talisman import Talisman, DEFAULT_CSP_POLICY talisman = Talisman( app, content_security_policy=os.environ.get("CSP_DIRECTIVES", DEFAULT_CSP_POLICY), ) ``` -------------------------------- ### Talisman Class Constructor Configuration Options Source: https://github.com/googlecloudplatform/flask-talisman/blob/master/README.rst This section details the various parameters available for configuring the Talisman extension when initializing it with a Flask application. These options allow customization of HTTP security headers like CSP, HSTS, X-Frame-Options, and more. ```APIDOC Talisman: __init__(app: Flask, feature_policy: dict = {}, force_https: bool = True, force_https_permanent: bool = False, frame_options: str = 'SAMEORIGIN', frame_options_allow_from: str = None, strict_transport_security: bool = True, strict_transport_security_preload: bool = False, strict_transport_security_max_age: int = ONE_YEAR_IN_SECS, strict_transport_security_include_subdomains: bool = True, content_security_policy: str = "default-src: 'self'", content_security_policy_nonce_in: list = [], content_security_policy_report_only: bool = False, content_security_policy_report_uri: str = None, referrer_policy: str = 'strict-origin-when-cross-origin') app: The Flask application instance to protect. feature_policy: default {}, see the Feature Policy section for details. force_https: default True, forces all non-debug connections to HTTPS. force_https_permanent: default False, uses a 301 (permanent) redirect instead of 302 for HTTPS redirects. frame_options: default 'SAMEORIGIN', controls X-Frame-Options header. Can be 'SAMEORIGIN', 'DENY', or 'ALLOWFROM'. frame_options_allow_from: default None, a string specifying domains allowed to embed the site via iframe when frame_options is 'ALLOWFROM'. strict_transport_security: default True, enables or disables sending HSTS headers. strict_transport_security_preload: default False, enables HSTS preloading. Registering with Google's HSTS preload list ensures browsers never load your site over non-secure connections. strict_transport_security_max_age: default ONE_YEAR_IN_SECS, sets the max-age for the HSTS header, indicating how long the browser should respect the policy. strict_transport_security_include_subdomains: default True, specifies whether HSTS should also apply to subdomains. content_security_policy: default "default-src: 'self'", defines the Content Security Policy. See the Content Security Policy section for more details. content_security_policy_nonce_in: default [], a list of CSP header sections (e.g., ['script-src', 'style-src']) to which a per-request nonce value will be added. content_security_policy_report_only: default False, if True, sets the CSP header as "Content-Security-Policy-Report-Only", disabling policy enforcement but reporting violations. Requires content_security_policy_report_uri. content_security_policy_report_uri: default None, a string specifying the URI to which CSP violation reports should be sent. referrer_policy: default 'strict-origin-when-cross-origin', sets the Referrer-Policy header, governing which referrer information is included with requests. ``` -------------------------------- ### Content Security Policy: Granular Source Control Source: https://github.com/googlecloudplatform/flask-talisman/blob/master/README.rst Demonstrates a more granular CSP configuration, allowing images from any origin, media from specific trusted providers, and scripts from a dedicated server. This provides fine-grained control over different resource types. ```python csp = { 'default-src': '\'self\'', 'img-src': '*', 'media-src': [ 'media1.com', 'media2.com', ], 'script-src': 'userscripts.example.com' } ``` -------------------------------- ### JavaScript CSP Testing with Console and Geolocation Source: https://github.com/googlecloudplatform/flask-talisman/blob/master/example_app/templates/index.html This JavaScript code snippet illustrates attempts to execute various operations, including console logging and accessing the user's geolocation. It's designed to test Content Security Policy (CSP) rules, with comments indicating which operations are expected to be blocked ('forbidden') and which are allowed (e.g., via a nonce). The geolocation access is specifically noted as expected to be denied, highlighting CSP enforcement. ```JavaScript // This script is forbidden console.log("Oh no, this should not have run!!") // This one isn't console.log("Yay, nonce allowed to run this.") navigator.geolocation.getCurrentPosition(function(position) { console.log('Oh no, geolocation access should be denied'); }); ``` -------------------------------- ### Initialize Flask-Talisman in a Flask Application Source: https://github.com/googlecloudplatform/flask-talisman/blob/master/README.rst This code snippet demonstrates how to import Talisman and initialize it with your Flask application instance. By wrapping your app with Talisman, it automatically applies default HTTP security headers, such as forcing HTTPS and setting a strict Content Security Policy. ```python from flask import Flask from flask_talisman import Talisman app = Flask(__name__) Talisman(app) ``` -------------------------------- ### Configure Flask-Talisman Per-View Options Source: https://github.com/googlecloudplatform/flask-talisman/blob/master/README.rst Demonstrates how to apply Flask-Talisman security policies like `frame_options` on a per-view basis in a Flask application using the `@talisman` decorator. This allows specific routes to have different security headers than the global application settings. ```python from flask import Flask from flask_talisman import Talisman, ALLOW_FROM app = Flask(__name__) talisman = Talisman(app) @app.route('/normal') def normal(): return 'Normal' @app.route('/embeddable') @talisman(frame_options=ALLOW_FROM, frame_options_allow_from='*') def embeddable(): return 'Embeddable' ``` -------------------------------- ### HTML Template for CSP Nonce Integration Source: https://github.com/googlecloudplatform/flask-talisman/blob/master/README.rst Illustrates how to include the dynamically generated CSP nonce in an HTML script tag within a template. This nonce must match the one generated by the server-side application to allow the script to execute under a nonce-enabled CSP. ```html ``` -------------------------------- ### Conditional Message Display in Jinja2 Template Source: https://github.com/googlecloudplatform/flask-talisman/blob/master/example_app/templates/index.html This HTML snippet, utilizing Jinja2 templating, demonstrates how to conditionally render a message. It checks if a 'message' variable is present and, if so, displays it within an

tag. This is a common pattern for displaying user feedback or dynamic content in web applications. ```HTML {% if message: %}

Your message:

{{message}} {% endif %} Submit ``` -------------------------------- ### Content Security Policy: Allowing Embedded Scripts with Nonce Source: https://github.com/googlecloudplatform/flask-talisman/blob/master/README.rst Shows how to configure CSP to allow embedded scripts using a nonce, which is dynamically generated and added to the script tag for enhanced security. This allows specific inline scripts to execute while maintaining a strict policy. ```python csp = { 'default-src': '\'self\'', 'script-src': '\'self\'', } talisman = Talisman( app, content_security_policy=csp, content_security_policy_nonce_in=['script-src'] ) ``` -------------------------------- ### Content Security Policy: Default Self-Origin Source: https://github.com/googlecloudplatform/flask-talisman/blob/master/README.rst Illustrates setting a strict Content Security Policy (CSP) where all content must originate from the site's own domain. This is achieved by setting `default-src` to `'self'`, preventing resources from external sources. ```python csp = { 'default-src': '\'self\'' } talisman = Talisman(app, content_security_policy=csp) ``` -------------------------------- ### Content Security Policy: Web Mail with Image Wildcard Source: https://github.com/googlecloudplatform/flask-talisman/blob/master/README.rst CSP for a web mail site, allowing HTML and images from any origin, but restricting scripts to the originating server by default. This balances functionality with security by limiting executable content sources. ```python csp = { 'default-src': [ '\'self\'', '*.mailsite.com', ], 'img-src': '*' } ``` -------------------------------- ### Configure Flask-Talisman for Geolocation Feature Policy (Python) Source: https://github.com/googlecloudplatform/flask-talisman/blob/master/README.rst This Python code shows how to define a `feature_policy` dictionary to disable the Geolocation interface. The dictionary is then passed to the `Talisman` constructor, applying the specified Feature Policy to the Flask application's HTTP responses. ```python feature_policy = { 'geolocation': "'none'" } talisman = Talisman(app, feature_policy=feature_policy) ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.