Merge pull request #2309 from aqt01/master

Add http headers security notes

docs/security.rst

@@ -104,3 +104,94 @@ vulnerabilities
 <https://github.com/pallets/flask/issues/248#issuecomment-59934857>`_, so
 this behavior was changed and :func:`~flask.jsonify` now supports serializing
 arrays.
+
+Security Headers
+----------------
+
+This section contains a list of HTTP security headers supported by Flask.
+To configure HTTPS and handle the headers listed below we suggest the package `flask-talisman <https://github.com/GoogleCloudPlatform/flask-talisman>`_. 
+
+HTTP Strict Transport Security (HSTS)
+-------------------------------------
+
+Redirects HTTP requests to HTTPS on all URLs, preventing man-in-the-middle (MITM) attacks.
+
+Example:
+
+.. sourcecode:: none
+   
+   Strict-Transport-Security: max-age=<expire-time 
+   Strict-Transport-Security: max-age=<expire-time>; includeSubDomains 
+   Strict-Transport-Security: max-age=<expire-time>; preload 
+
+See also `Strict Transport Security <https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security>`_. 
+
+HTTP Public Key Pinning (HPKP)
+------------------------------
+
+This enables your web server to authenticate with a client browser using a specific certificate key to prevent man-in-the-middle (MITM) attacks.
+
+Example:
+
+.. sourcecode:: none
+
+   Public-Key-Pins: pin-sha256="base64=="; max-age=expireTime [; includeSubDomains][; report-uri="reportURI"] 
+
+See also `Public Key Pinning <https://developer.mozilla.org/en-US/docs/Web/HTTP/Public_Key_Pinning>`_.
+
+X-Frame-Options (Clickjacking Protection)
+-----------------------------------------
+
+Prevents the client from clicking page elements outside of the website, avoiding hijacking or UI redress attacks.
+
+.. sourcecode:: none
+   
+   X-Frame-Options: DENY 
+   X-Frame-Options: SAMEORIGIN
+   X-Frame-Options: ALLOW-FROM https://example.com/
+
+See also `X-Frame-Options <https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options>`_. 
+
+X-Content-Type-Options
+----------------------
+
+This header prevents Cross-site scripting (XSS) by blocking requests on clients and forcing them to first read and validate the content-type before reading any of the contents of the request.
+
+.. sourcecode:: none
+   
+   X-Content-Type-Options: nosniff
+
+See also `X-Content-Type-Options <https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options>`_. 
+
+Content Security Policy (CSP)
+-----------------------------
+
+Enhances security and prevents common web vulnerabilities such as cross-site scripting (XSS) and man-in-the-middle (MITM) related attacks.
+
+Example:
+
+.. sourcecode:: none
+   
+   Content-Security-Policy: default-src https:; script-src 'nonce-{random}'; object-src 'none'
+
+See also `Content Security Policy <https://csp.withgoogle.com/docs/index.html>`_.
+
+Cookie Options
+--------------
+
+While these headers are not directly security related, they have important options that may affect your Flask application.
+
+- ``Secure`` limits your cookies to HTTPS traffic only.
+- ``HttpOnly`` protects the contents of your cookie from being visible to XSS.
+- ``SameSite`` ensures that cookies can only be requested from the same domain that created them but this feature is not yet fully supported across all browsers.  
+
+Example:
+
+.. sourcecode:: none
+   
+   Set-Cookie: [cookie-name]=[cookie-value] 
+
+See also:
+
+-  Mozilla guide to `HTTP cookies <https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#Secure_and_HttpOnly_cookies>`_.
+- `OWASP HTTP Only <https://www.owasp.org/index.php/HttpOnly>`_.