def test_CSP_pass(self):
sh = Secure_Headers()
defaultCSP = sh.defaultPolicies['CSP']
""" test CSP policy update """
h = CSP({'script-src':['self','code.jquery.com']}).update_policy(defaultCSP)
self.assertHeaderEquals(h['script-src'],['self', 'code.jquery.com'])
self.assertEquals(h['default-src'],['self'])
self.assertEquals(h['img-src'],[])
""" test CSP policy rewrite """
h = CSP({'default-src':['none']}).rewrite_policy(defaultCSP)
self.assertEquals(h['script-src'],[])
self.assertEquals(h['default-src'],['none'])
self.assertEquals(h['report-uri'],[])
""" test CSP header creation """
h = CSP({'default-src':['none']}).create_header()
self.assertEquals(h['Content-Security-Policy'],"default-src 'none'")
""" test CSP -report-only header creation """
h = CSP({'default-src':['none'],'report-only':True}).create_header()
self.assertEquals(h['Content-Security-Policy-Report-Only'],"default-src 'none'")
mimetypes.add_type('image/svg+xml', '.svg')
oidc_config = config.OIDCConfig()
authentication = auth.OpenIDConnect(
oidc_config
)
oidc = authentication.auth(app)
person_api = person.API()
vanity_router = vanity.Router(app=app).setup()
# Add secure Headers to satify observatory checks
sh = Secure_Headers()
sh.update(
{
'CSP': {
'default-src': [
'self',
],
'script-src': [
'self',
'data:',
'ajax.googleapis.com',
'fonts.googleapis.com',
'https://*.googletagmanager.com',
'https://tagmanager.google.com',
'https://*.google-analytics.com',
'https://cdn.sso.mozilla.com',
# Only log flask debug in development mode.
logger.info("Using development config")
logging.basicConfig(level=logging.DEBUG)
handler = logging.StreamHandler()
logging.getLogger("werkzeug").addHandler(handler)
app.config.from_object(config.DevelopmentConfig())
#auth = OIDCAuthentication(app,client_registration_info=client_info)
oidc_config = config.OIDCConfig()
authentication = auth.OpenIDConnect(oidc_config)
oidc = authentication.auth(app)
#websec headers:
sh = Secure_Headers()
#laboratory says
# default-src 'none';
# connect-src 'self';
# script-src 'self' 'unsafe-inline' https://cdnjs.cloudflare.com/ajax/libs/jquery/1.11.3/jquery.min.js https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.5/js/bootstrap.min.js;
# style-src 'unsafe-inline' https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.5/css/
sh.update({
'CSP': {
'default-src': [
'self',
],
'connect-src': [
'self',
],
'script-src': [
'self',
css = Bundle(sass, filters='cssmin', output='css/gen/all.css')
assets.register('css_all', css)
# Hack to support serving .svg
mimetypes.add_type('image/svg+xml', '.svg')
oidc_config = config.OIDCConfig()
authentication = auth.OpenIDConnect(oidc_config)
oidc = authentication.auth(app)
vanity_router = vanity.Router(app=app).setup()
# Add secure Headers to satify observatory checks
sh = Secure_Headers()
sh.update({
'CSP': {
'default-src': [
'self',
],
'script-src': [
'self', 'data:', 'ajax.googleapis.com', 'fonts.googleapis.com',
'https://*.googletagmanager.com', 'https://tagmanager.google.com',
'https://*.google-analytics.com'
],
'style-src': [
'self',
'ajax.googleapis.com',
'fonts.googleapis.com',
],
handler = logging.StreamHandler()
logging.getLogger("werkzeug").addHandler(handler)
app.config.from_object(config.DevelopmentConfig())
#auth = OIDCAuthentication(app,client_registration_info=client_info)
oidc_config = config.OIDCConfig()
authentication = auth.OpenIDConnect(
oidc_config
)
oidc = authentication.auth(app)
#websec headers:
sh = Secure_Headers()
#laboratory says
# default-src 'none';
# connect-src 'self';
# script-src 'self' 'unsafe-inline' https://cdnjs.cloudflare.com/ajax/libs/jquery/1.11.3/jquery.min.js https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.5/js/bootstrap.min.js;
# style-src 'unsafe-inline' https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.5/css/
sh.update(
{
'CSP': {
'default-src': [
'self',
],
'connect-src': [
'self',
],
'script-src': [
ADMIN_ROLE = 'admin'
# Initialize the web app.
app = Flask(__name__)
app.config['SERVER_NAME'] = config.flask_server_name
app.config['PREFERRED_URL_SCHEME'] = ('https'
if config.flask_use_ssl else 'http')
app.config['SESSION_COOKIE_SAMESITE'] = 'Lax'
app.secret_key = config.flask_secret_key
# Redirect to https if running on Heroku dyno.
if 'DYNO' in os.environ:
sslify = SSLify(app)
# Load security headers.
sh = Secure_Headers()
sh.rewrite({
'CSP': {
'connect-src': [
'self',
],
'img-src': [
'self',
],
'object-src': [
'self',
],
'script-src': [
'self',
],
'style-src': [
class TestAppUseCase(TestHeaders):
""" test header creation in flask app """
def setUp(self):
self.app = Flask(__name__)
self.sh = Secure_Headers()
def test_defaults(self):
""" test header wrapper with default headers """
@self.app.route('/')
@self.sh.wrapper()
def index(): return "hi"
with self.app.test_client() as c:
result = c.get('/')
self.assertEquals(result.headers.get('X-XSS-Protection'),'1; mode=block')
self.assertEquals(result.headers.get('Strict-Transport-Security'),'includeSubDomains; max-age=31536000')
self.assertEquals(result.headers.get('Public-Key-Pins'),'includeSubDomains; report-uri=/hpkp_report; max-age=5184000')
self.assertEquals(result.headers.get('X-Content-Type-Options'),'nosniff')
self.assertEquals(result.headers.get('X-Permitted-Cross-Domain-Policies'),'none')
self.assertEquals(result.headers.get('X-Download-Options'),'noopen')
self.assertEquals(result.headers.get('X-Frame-Options'),'sameorigin')
self.assertHeaderEquals(result.headers.get('Content-Security-Policy'),"report-uri /csp_report; default-src 'self'")
def test_update_function(self):
""" test config update function """
self.sh.update(
{
'X_Permitted_Cross_Domain_Policies':{'value':'all'},
'CSP':{'script-src':['self','code.jquery.com']},
'HPKP':{'pins':[{'sha256':'test123'},{'sha256':'test2256'}]}
}
)
@self.app.route('/')
@self.sh.wrapper()
def index(): return "hi"
with self.app.test_client() as c:
result = c.get('/')
self.assertEquals(result.headers.get('X-Permitted-Cross-Domain-Policies'),'all')
self.assertEquals(result.headers.get('Content-Security-Policy'),"script-src 'self' code.jquery.com; report-uri /csp_report; default-src 'self'")
self.assertEquals(result.headers.get('Public-Key-Pins'),"pin-sha256=test123; pin-sha256=test2256; includeSubDomains; report-uri=/hpkp_report; max-age=5184000")
def test_rewrite_function(self):
""" test config rewrite function """
self.sh.rewrite(
{
'CSP':{'default-src':['none']},
'HPKP':{'pins':[{'sha256':'test123'}]}
}
)
@self.app.route('/')
@self.sh.wrapper()
def index(): return "hi"
with self.app.test_client() as c:
result = c.get('/')
self.assertEquals(result.headers.get('Content-Security-Policy'),"default-src 'none'")
self.assertEquals(result.headers.get('Public-Key-Pins'),"pin-sha256=test123")
def test_wrapper_update_function(self):
""" test updating policies from wrapper """
self.sh.rewrite(
{
'CSP':{'default-src':['none']},
'HPKP':{'pins':[{'sha256':'test123'}]}
}
)
@self.app.route('/')
@self.sh.wrapper(
{
'CSP':{'script-src':['self','code.jquery.com']},
'X_Permitted_Cross_Domain_Policies':{'value':'none'},
'X-XSS-Protection':{'value':1,'mode':False},
'HPKP':{'pins':[{'sha256':'test2256'}]},
}
)
def index(): return "hi"
with self.app.test_client() as c:
result = c.get('/')
self.assertEquals(result.headers.get('X-Permitted-Cross-Domain-Policies'),'none')
self.assertHeaderEquals(result.headers.get('Content-Security-Policy'),"script-src 'self' code.jquery.com; default-src 'none'")
self.assertEquals(result.headers.get('X-XSS-Protection'),'1')
self.assertEquals(result.headers.get('Public-Key-Pins'),"pin-sha256=test2256; pin-sha256=test123")
@self.app.route('/test')
@self.sh.wrapper({'CSP':{'script-src':['nonce-1234']}})
def test(): return "hi"
with self.app.test_client() as c:
result = c.get('/test')
self.assertHeaderEquals(result.headers.get('Content-Security-Policy'),"script-src 'self' code.jquery.com 'nonce-1234'; default-src 'none'")
def test_passing_none_value_rewrite(self):
""" test removing header from update/rewrite """
self.sh.rewrite({'CSP':None,'X_XSS_Protection':None})
@self.app.route('/')
@self.sh.wrapper()
def index(): return "hi"
with self.app.test_client() as c:
result = c.get('/')
self.assertEquals(result.headers.get('X-Permitted-Cross-Domain-Policies'),'none')
self.assertEquals(result.headers.get('CSP'),None)
self.assertEquals(result.headers.get('X-XSS-Protection'),None)
def test_passing_none_value_wrapper(self):
""" test removing policy from wrapper """
@self.app.route('/')
@self.sh.wrapper({'CSP':None,'X-XSS-Protection':None})
def index(): return "hi"
with self.app.test_client() as c:
result = c.get('/')
self.assertEquals(result.headers.get('X-Permitted-Cross-Domain-Policies'),'none')
self.assertEquals(result.headers.get('CSP'),None)
self.assertEquals(result.headers.get('X-XSS-Protection'),None)
def setUp(self):
self.app = Flask(__name__)
self.sh = Secure_Headers()
from flask import Flask, url_for, request, jsonify
from flask_secure_headers.core import Secure_Headers
from functools import wraps
import json
import ssl
import socket
import os
import ssl
context = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2)
context.load_cert_chain('cert4.pem', 'key4.pem')
if socket.gethostname() == "mssd-labs":
os.chdir("/data/5/")
sh = Secure_Headers()
#sh.update({'HPKP':{'pins':[{'sha256':'uMBswu6zeZDgdpNzuimW9F1TLr66vBzdpuZgNXYyn/I='}],'max-age':2592000}})
#sh.update({'HSTS':{'max-age':2592000, 'includeSubDomains':True}})
app = Flask(__name__)
user = ''
shadow = {'admin': 'l4sT_L4b', 'guest': 'password'}
def check_auth(username, password):
if username in shadow and shadow[username] == password:
global user
user = username
return username
ADMIN_ROLE = 'admin'
# Initialize the web app.
app = Flask(__name__)
app.config['SERVER_NAME'] = config.flask_server_name
app.config['PREFERRED_URL_SCHEME'] = ('https' if config.flask_use_ssl
else 'http')
app.config['SESSION_COOKIE_SAMESITE'] = 'Lax'
app.secret_key = config.flask_secret_key
# Redirect to https if running on Heroku dyno.
if 'DYNO' in os.environ:
sslify = SSLify(app)
# Load security headers.
sh = Secure_Headers()
sh.rewrite({
'CSP': {
'connect-src': [
'self',
],
'img-src': [
'self',
],
'object-src': [
'self',
],
'script-src': [
'self',
],
'style-src': [
def setUp(self): self.app = Flask(__name__) self.sh = Secure_Headers()
class TestAppUseCase(unittest.TestCase):
""" test header creation in flask app """
def setUp(self):
self.app = Flask(__name__)
self.sh = Secure_Headers()
def test_defaults(self):
""" test header wrapper with default headers """
@self.app.route('/')
@self.sh.wrapper()
def index(): return "hi"
with self.app.test_client() as c:
result = c.get('/')
self.assertEquals(result.headers.get('X-XSS-Protection'),'1; mode=block')
self.assertEquals(result.headers.get('Strict-Transport-Security'),'includeSubDomains; max-age=31536000')
self.assertEquals(result.headers.get('Public-Key-Pins'),'includeSubDomains; report-uri=/hpkp_report; max-age=5184000')
self.assertEquals(result.headers.get('X-Content-Type-Options'),'nosniff')
self.assertEquals(result.headers.get('X-Permitted-Cross-Domain-Policies'),'none')
self.assertEquals(result.headers.get('X-Download-Options'),'noopen')
self.assertEquals(result.headers.get('X-Frame-Options'),'sameorigin')
self.assertEquals(result.headers.get('Content-Security-Policy'),"report-uri /csp_report; default-src 'self'")
def test_update_function(self):
""" test config update function """
self.sh.update(
{
'X_Permitted_Cross_Domain_Policies':{'value':'all'},
'CSP':{'script-src':['self','code.jquery.com']},
'HPKP':{'pins':[{'sha256':'test123'},{'sha256':'test2256'}]}
}
)
@self.app.route('/')
@self.sh.wrapper()
def index(): return "hi"
with self.app.test_client() as c:
result = c.get('/')
self.assertEquals(result.headers.get('X-Permitted-Cross-Domain-Policies'),'all')
self.assertEquals(result.headers.get('Content-Security-Policy'),"script-src 'self' code.jquery.com; report-uri /csp_report; default-src 'self'")
self.assertEquals(result.headers.get('Public-Key-Pins'),"pin-sha256=test123; pin-sha256=test2256; includeSubDomains; report-uri=/hpkp_report; max-age=5184000")
def test_rewrite_function(self):
""" test config rewrite function """
self.sh.rewrite(
{
'CSP':{'default-src':['none']},
'HPKP':{'pins':[{'sha256':'test123'}]}
}
)
@self.app.route('/')
@self.sh.wrapper()
def index(): return "hi"
with self.app.test_client() as c:
result = c.get('/')
self.assertEquals(result.headers.get('Content-Security-Policy'),"default-src 'none'")
self.assertEquals(result.headers.get('Public-Key-Pins'),"pin-sha256=test123")
def test_wrapper_update_function(self):
""" test updating policies from wrapper """
self.sh.rewrite(
{
'CSP':{'default-src':['none']},
'HPKP':{'pins':[{'sha256':'test123'}]}
}
)
@self.app.route('/')
@self.sh.wrapper(
{
'CSP':{'script-src':['self','code.jquery.com']},
'X_Permitted_Cross_Domain_Policies':{'value':'none'},
'X-XSS-Protection':{'value':1,'mode':False},
'HPKP':{'pins':[{'sha256':'test2256'}]},
}
)
def index(): return "hi"
with self.app.test_client() as c:
result = c.get('/')
self.assertEquals(result.headers.get('X-Permitted-Cross-Domain-Policies'),'none')
self.assertEquals(result.headers.get('Content-Security-Policy'),"script-src 'self' code.jquery.com; default-src 'none'")
self.assertEquals(result.headers.get('X-XSS-Protection'),'1')
self.assertEquals(result.headers.get('Public-Key-Pins'),"pin-sha256=test2256; pin-sha256=test123")
@self.app.route('/test')
@self.sh.wrapper({'CSP':{'script-src':['nonce-1234']}})
def test(): return "hi"
with self.app.test_client() as c:
result = c.get('/test')
self.assertEquals(result.headers.get('Content-Security-Policy'),"script-src 'self' code.jquery.com 'nonce-1234'; default-src 'none'")
def test_passing_none_value_rewrite(self):
""" test removing header from update/rewrite """
self.sh.rewrite({'CSP':None,'X_XSS_Protection':None})
@self.app.route('/')
@self.sh.wrapper()
def index(): return "hi"
with self.app.test_client() as c:
result = c.get('/')
self.assertEquals(result.headers.get('X-Permitted-Cross-Domain-Policies'),'none')
self.assertEquals(result.headers.get('CSP'),None)
self.assertEquals(result.headers.get('X-XSS-Protection'),None)
def test_passing_none_value_wrapper(self):
""" test removing policy from wrapper """
@self.app.route('/')
@self.sh.wrapper({'CSP':None,'X-XSS-Protection':None})
def index(): return "hi"
with self.app.test_client() as c:
result = c.get('/')
self.assertEquals(result.headers.get('X-Permitted-Cross-Domain-Policies'),'none')
self.assertEquals(result.headers.get('CSP'),None)
self.assertEquals(result.headers.get('X-XSS-Protection'),None)
from flask import Blueprint, render_template, flash, request, abort, make_response
from sqliteFunctions import sqliteAdminFunctions, rules
import sqlite3
import json
import types
from flask_secure_headers.core import Secure_Headers
from functools import wraps
import os.path
# decorators
sh = Secure_Headers()
sh.update({'CSP':{'default-src':['localhost'],'script-src':['self','code.jquery.com','sha256-0U0JKOeLnVrPAm22MQQtlb5cufdXFDzRS9l-petvH6U=']}})
def defaultDecorator(f):
@wraps(f)
def decorated_function(*args, **kwargs):
return make_response(f(*args, **kwargs))
return decorated_function
def sqliteAdminBlueprint(dbPath,bpName='sqliteAdmin',tables=[],title='sqlite Admin',h1='sqlite Admin',baseLayout='base.html',extraRules=[],decorator=defaultDecorator):
""" create routes for admin """
sqlite = Blueprint(bpName, __name__,template_folder='templates',static_folder='static')
@sqlite.route('/',methods=['GET'])
@decorator
@sh.wrapper()
def index():
db = sqlite3.connect(dbPath)
sf = sqliteAdminFunctions(db,tables=tables,extraRules=extraRules)
res = sf.tableList(tables)
