def test_CSP_pass(self): sh = Secure_Headers() defaultCSP = sh.defaultPolicies['CSP'] """ test CSP policy update """ h = CSP({'script-src':['self','code.jquery.com']}).update_policy(defaultCSP) self.assertHeaderEquals(h['script-src'],['self', 'code.jquery.com']) self.assertEquals(h['default-src'],['self']) self.assertEquals(h['img-src'],[]) """ test CSP policy rewrite """ h = CSP({'default-src':['none']}).rewrite_policy(defaultCSP) self.assertEquals(h['script-src'],[]) self.assertEquals(h['default-src'],['none']) self.assertEquals(h['report-uri'],[]) """ test CSP header creation """ h = CSP({'default-src':['none']}).create_header() self.assertEquals(h['Content-Security-Policy'],"default-src 'none'") """ test CSP -report-only header creation """ h = CSP({'default-src':['none'],'report-only':True}).create_header() self.assertEquals(h['Content-Security-Policy-Report-Only'],"default-src 'none'")
mimetypes.add_type('image/svg+xml', '.svg') oidc_config = config.OIDCConfig() authentication = auth.OpenIDConnect( oidc_config ) oidc = authentication.auth(app) person_api = person.API() vanity_router = vanity.Router(app=app).setup() # Add secure Headers to satify observatory checks sh = Secure_Headers() sh.update( { 'CSP': { 'default-src': [ 'self', ], 'script-src': [ 'self', 'data:', 'ajax.googleapis.com', 'fonts.googleapis.com', 'https://*.googletagmanager.com', 'https://tagmanager.google.com', 'https://*.google-analytics.com', 'https://cdn.sso.mozilla.com',
# Only log flask debug in development mode. logger.info("Using development config") logging.basicConfig(level=logging.DEBUG) handler = logging.StreamHandler() logging.getLogger("werkzeug").addHandler(handler) app.config.from_object(config.DevelopmentConfig()) #auth = OIDCAuthentication(app,client_registration_info=client_info) oidc_config = config.OIDCConfig() authentication = auth.OpenIDConnect(oidc_config) oidc = authentication.auth(app) #websec headers: sh = Secure_Headers() #laboratory says # default-src 'none'; # connect-src 'self'; # script-src 'self' 'unsafe-inline' https://cdnjs.cloudflare.com/ajax/libs/jquery/1.11.3/jquery.min.js https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.5/js/bootstrap.min.js; # style-src 'unsafe-inline' https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.5/css/ sh.update({ 'CSP': { 'default-src': [ 'self', ], 'connect-src': [ 'self', ], 'script-src': [ 'self',
css = Bundle(sass, filters='cssmin', output='css/gen/all.css') assets.register('css_all', css) # Hack to support serving .svg mimetypes.add_type('image/svg+xml', '.svg') oidc_config = config.OIDCConfig() authentication = auth.OpenIDConnect(oidc_config) oidc = authentication.auth(app) vanity_router = vanity.Router(app=app).setup() # Add secure Headers to satify observatory checks sh = Secure_Headers() sh.update({ 'CSP': { 'default-src': [ 'self', ], 'script-src': [ 'self', 'data:', 'ajax.googleapis.com', 'fonts.googleapis.com', 'https://*.googletagmanager.com', 'https://tagmanager.google.com', 'https://*.google-analytics.com' ], 'style-src': [ 'self', 'ajax.googleapis.com', 'fonts.googleapis.com', ],
handler = logging.StreamHandler() logging.getLogger("werkzeug").addHandler(handler) app.config.from_object(config.DevelopmentConfig()) #auth = OIDCAuthentication(app,client_registration_info=client_info) oidc_config = config.OIDCConfig() authentication = auth.OpenIDConnect( oidc_config ) oidc = authentication.auth(app) #websec headers: sh = Secure_Headers() #laboratory says # default-src 'none'; # connect-src 'self'; # script-src 'self' 'unsafe-inline' https://cdnjs.cloudflare.com/ajax/libs/jquery/1.11.3/jquery.min.js https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.5/js/bootstrap.min.js; # style-src 'unsafe-inline' https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.5/css/ sh.update( { 'CSP': { 'default-src': [ 'self', ], 'connect-src': [ 'self', ], 'script-src': [
ADMIN_ROLE = 'admin' # Initialize the web app. app = Flask(__name__) app.config['SERVER_NAME'] = config.flask_server_name app.config['PREFERRED_URL_SCHEME'] = ('https' if config.flask_use_ssl else 'http') app.config['SESSION_COOKIE_SAMESITE'] = 'Lax' app.secret_key = config.flask_secret_key # Redirect to https if running on Heroku dyno. if 'DYNO' in os.environ: sslify = SSLify(app) # Load security headers. sh = Secure_Headers() sh.rewrite({ 'CSP': { 'connect-src': [ 'self', ], 'img-src': [ 'self', ], 'object-src': [ 'self', ], 'script-src': [ 'self', ], 'style-src': [
class TestAppUseCase(TestHeaders): """ test header creation in flask app """ def setUp(self): self.app = Flask(__name__) self.sh = Secure_Headers() def test_defaults(self): """ test header wrapper with default headers """ @self.app.route('/') @self.sh.wrapper() def index(): return "hi" with self.app.test_client() as c: result = c.get('/') self.assertEquals(result.headers.get('X-XSS-Protection'),'1; mode=block') self.assertEquals(result.headers.get('Strict-Transport-Security'),'includeSubDomains; max-age=31536000') self.assertEquals(result.headers.get('Public-Key-Pins'),'includeSubDomains; report-uri=/hpkp_report; max-age=5184000') self.assertEquals(result.headers.get('X-Content-Type-Options'),'nosniff') self.assertEquals(result.headers.get('X-Permitted-Cross-Domain-Policies'),'none') self.assertEquals(result.headers.get('X-Download-Options'),'noopen') self.assertEquals(result.headers.get('X-Frame-Options'),'sameorigin') self.assertHeaderEquals(result.headers.get('Content-Security-Policy'),"report-uri /csp_report; default-src 'self'") def test_update_function(self): """ test config update function """ self.sh.update( { 'X_Permitted_Cross_Domain_Policies':{'value':'all'}, 'CSP':{'script-src':['self','code.jquery.com']}, 'HPKP':{'pins':[{'sha256':'test123'},{'sha256':'test2256'}]} } ) @self.app.route('/') @self.sh.wrapper() def index(): return "hi" with self.app.test_client() as c: result = c.get('/') self.assertEquals(result.headers.get('X-Permitted-Cross-Domain-Policies'),'all') self.assertEquals(result.headers.get('Content-Security-Policy'),"script-src 'self' code.jquery.com; report-uri /csp_report; default-src 'self'") self.assertEquals(result.headers.get('Public-Key-Pins'),"pin-sha256=test123; pin-sha256=test2256; includeSubDomains; report-uri=/hpkp_report; max-age=5184000") def test_rewrite_function(self): """ test config rewrite function """ self.sh.rewrite( { 'CSP':{'default-src':['none']}, 'HPKP':{'pins':[{'sha256':'test123'}]} } ) @self.app.route('/') @self.sh.wrapper() def index(): return "hi" with self.app.test_client() as c: result = c.get('/') self.assertEquals(result.headers.get('Content-Security-Policy'),"default-src 'none'") self.assertEquals(result.headers.get('Public-Key-Pins'),"pin-sha256=test123") def test_wrapper_update_function(self): """ test updating policies from wrapper """ self.sh.rewrite( { 'CSP':{'default-src':['none']}, 'HPKP':{'pins':[{'sha256':'test123'}]} } ) @self.app.route('/') @self.sh.wrapper( { 'CSP':{'script-src':['self','code.jquery.com']}, 'X_Permitted_Cross_Domain_Policies':{'value':'none'}, 'X-XSS-Protection':{'value':1,'mode':False}, 'HPKP':{'pins':[{'sha256':'test2256'}]}, } ) def index(): return "hi" with self.app.test_client() as c: result = c.get('/') self.assertEquals(result.headers.get('X-Permitted-Cross-Domain-Policies'),'none') self.assertHeaderEquals(result.headers.get('Content-Security-Policy'),"script-src 'self' code.jquery.com; default-src 'none'") self.assertEquals(result.headers.get('X-XSS-Protection'),'1') self.assertEquals(result.headers.get('Public-Key-Pins'),"pin-sha256=test2256; pin-sha256=test123") @self.app.route('/test') @self.sh.wrapper({'CSP':{'script-src':['nonce-1234']}}) def test(): return "hi" with self.app.test_client() as c: result = c.get('/test') self.assertHeaderEquals(result.headers.get('Content-Security-Policy'),"script-src 'self' code.jquery.com 'nonce-1234'; default-src 'none'") def test_passing_none_value_rewrite(self): """ test removing header from update/rewrite """ self.sh.rewrite({'CSP':None,'X_XSS_Protection':None}) @self.app.route('/') @self.sh.wrapper() def index(): return "hi" with self.app.test_client() as c: result = c.get('/') self.assertEquals(result.headers.get('X-Permitted-Cross-Domain-Policies'),'none') self.assertEquals(result.headers.get('CSP'),None) self.assertEquals(result.headers.get('X-XSS-Protection'),None) def test_passing_none_value_wrapper(self): """ test removing policy from wrapper """ @self.app.route('/') @self.sh.wrapper({'CSP':None,'X-XSS-Protection':None}) def index(): return "hi" with self.app.test_client() as c: result = c.get('/') self.assertEquals(result.headers.get('X-Permitted-Cross-Domain-Policies'),'none') self.assertEquals(result.headers.get('CSP'),None) self.assertEquals(result.headers.get('X-XSS-Protection'),None)
def setUp(self): self.app = Flask(__name__) self.sh = Secure_Headers()
from flask import Flask, url_for, request, jsonify from flask_secure_headers.core import Secure_Headers from functools import wraps import json import ssl import socket import os import ssl context = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2) context.load_cert_chain('cert4.pem', 'key4.pem') if socket.gethostname() == "mssd-labs": os.chdir("/data/5/") sh = Secure_Headers() #sh.update({'HPKP':{'pins':[{'sha256':'uMBswu6zeZDgdpNzuimW9F1TLr66vBzdpuZgNXYyn/I='}],'max-age':2592000}}) #sh.update({'HSTS':{'max-age':2592000, 'includeSubDomains':True}}) app = Flask(__name__) user = '' shadow = {'admin': 'l4sT_L4b', 'guest': 'password'} def check_auth(username, password): if username in shadow and shadow[username] == password: global user user = username return username
class TestAppUseCase(unittest.TestCase): """ test header creation in flask app """ def setUp(self): self.app = Flask(__name__) self.sh = Secure_Headers() def test_defaults(self): """ test header wrapper with default headers """ @self.app.route('/') @self.sh.wrapper() def index(): return "hi" with self.app.test_client() as c: result = c.get('/') self.assertEquals(result.headers.get('X-XSS-Protection'),'1; mode=block') self.assertEquals(result.headers.get('Strict-Transport-Security'),'includeSubDomains; max-age=31536000') self.assertEquals(result.headers.get('Public-Key-Pins'),'includeSubDomains; report-uri=/hpkp_report; max-age=5184000') self.assertEquals(result.headers.get('X-Content-Type-Options'),'nosniff') self.assertEquals(result.headers.get('X-Permitted-Cross-Domain-Policies'),'none') self.assertEquals(result.headers.get('X-Download-Options'),'noopen') self.assertEquals(result.headers.get('X-Frame-Options'),'sameorigin') self.assertEquals(result.headers.get('Content-Security-Policy'),"report-uri /csp_report; default-src 'self'") def test_update_function(self): """ test config update function """ self.sh.update( { 'X_Permitted_Cross_Domain_Policies':{'value':'all'}, 'CSP':{'script-src':['self','code.jquery.com']}, 'HPKP':{'pins':[{'sha256':'test123'},{'sha256':'test2256'}]} } ) @self.app.route('/') @self.sh.wrapper() def index(): return "hi" with self.app.test_client() as c: result = c.get('/') self.assertEquals(result.headers.get('X-Permitted-Cross-Domain-Policies'),'all') self.assertEquals(result.headers.get('Content-Security-Policy'),"script-src 'self' code.jquery.com; report-uri /csp_report; default-src 'self'") self.assertEquals(result.headers.get('Public-Key-Pins'),"pin-sha256=test123; pin-sha256=test2256; includeSubDomains; report-uri=/hpkp_report; max-age=5184000") def test_rewrite_function(self): """ test config rewrite function """ self.sh.rewrite( { 'CSP':{'default-src':['none']}, 'HPKP':{'pins':[{'sha256':'test123'}]} } ) @self.app.route('/') @self.sh.wrapper() def index(): return "hi" with self.app.test_client() as c: result = c.get('/') self.assertEquals(result.headers.get('Content-Security-Policy'),"default-src 'none'") self.assertEquals(result.headers.get('Public-Key-Pins'),"pin-sha256=test123") def test_wrapper_update_function(self): """ test updating policies from wrapper """ self.sh.rewrite( { 'CSP':{'default-src':['none']}, 'HPKP':{'pins':[{'sha256':'test123'}]} } ) @self.app.route('/') @self.sh.wrapper( { 'CSP':{'script-src':['self','code.jquery.com']}, 'X_Permitted_Cross_Domain_Policies':{'value':'none'}, 'X-XSS-Protection':{'value':1,'mode':False}, 'HPKP':{'pins':[{'sha256':'test2256'}]}, } ) def index(): return "hi" with self.app.test_client() as c: result = c.get('/') self.assertEquals(result.headers.get('X-Permitted-Cross-Domain-Policies'),'none') self.assertEquals(result.headers.get('Content-Security-Policy'),"script-src 'self' code.jquery.com; default-src 'none'") self.assertEquals(result.headers.get('X-XSS-Protection'),'1') self.assertEquals(result.headers.get('Public-Key-Pins'),"pin-sha256=test2256; pin-sha256=test123") @self.app.route('/test') @self.sh.wrapper({'CSP':{'script-src':['nonce-1234']}}) def test(): return "hi" with self.app.test_client() as c: result = c.get('/test') self.assertEquals(result.headers.get('Content-Security-Policy'),"script-src 'self' code.jquery.com 'nonce-1234'; default-src 'none'") def test_passing_none_value_rewrite(self): """ test removing header from update/rewrite """ self.sh.rewrite({'CSP':None,'X_XSS_Protection':None}) @self.app.route('/') @self.sh.wrapper() def index(): return "hi" with self.app.test_client() as c: result = c.get('/') self.assertEquals(result.headers.get('X-Permitted-Cross-Domain-Policies'),'none') self.assertEquals(result.headers.get('CSP'),None) self.assertEquals(result.headers.get('X-XSS-Protection'),None) def test_passing_none_value_wrapper(self): """ test removing policy from wrapper """ @self.app.route('/') @self.sh.wrapper({'CSP':None,'X-XSS-Protection':None}) def index(): return "hi" with self.app.test_client() as c: result = c.get('/') self.assertEquals(result.headers.get('X-Permitted-Cross-Domain-Policies'),'none') self.assertEquals(result.headers.get('CSP'),None) self.assertEquals(result.headers.get('X-XSS-Protection'),None)
from flask import Blueprint, render_template, flash, request, abort, make_response from sqliteFunctions import sqliteAdminFunctions, rules import sqlite3 import json import types from flask_secure_headers.core import Secure_Headers from functools import wraps import os.path # decorators sh = Secure_Headers() sh.update({'CSP':{'default-src':['localhost'],'script-src':['self','code.jquery.com','sha256-0U0JKOeLnVrPAm22MQQtlb5cufdXFDzRS9l-petvH6U=']}}) def defaultDecorator(f): @wraps(f) def decorated_function(*args, **kwargs): return make_response(f(*args, **kwargs)) return decorated_function def sqliteAdminBlueprint(dbPath,bpName='sqliteAdmin',tables=[],title='sqlite Admin',h1='sqlite Admin',baseLayout='base.html',extraRules=[],decorator=defaultDecorator): """ create routes for admin """ sqlite = Blueprint(bpName, __name__,template_folder='templates',static_folder='static') @sqlite.route('/',methods=['GET']) @decorator @sh.wrapper() def index(): db = sqlite3.connect(dbPath) sf = sqliteAdminFunctions(db,tables=tables,extraRules=extraRules) res = sf.tableList(tables)