项目作者: twaldear

项目描述 :
Flask的内容安全策略标头支持
高级语言: Python
项目地址: git://github.com/twaldear/flask-csp.git
创建时间: 2015-04-21T19:53:16Z
项目社区:https://github.com/twaldear/flask-csp

开源协议:MIT License

下载


flask-csp

Add a Content Security Policy header to your Flask application.
More information on CSP:

Installation

Install the extension with using pip, or easy_install. Pypi Link

  1. $ pip install flask-csp

Usage

Add the csp_header(…) decorator after the app.route(…) decorator to create a csp header on each route. The decorator can either be passed no value (Add default policies) or custom values by a dict (Add custom policies). For more information on the default policies see “Change Default Policies” below.

Add default header

  1. from flask_csp.csp import csp_header
  2. ...
  3. @app.route('/')
  4. @csp_header()

Add custom header

Pass the csp_header wrapper a dict with the policies to change:

  1. from flask_csp.csp import csp_header
  2. ...
  3. @app.route('/')
  4. @csp_header({'default-src':"'none'",'script-src':"'self'"})

Notes:

  • Only policies with a non empty value are added to the header. The wrapper @csp_header({‘default-src’:””}) will remove ‘default-src …’ from the header
  • 4 keywords in policies must always be encapsulated in single quotes: ‘none’, ‘self’, ‘unsafe-inline’,’unsafe-eval’
  • The data permission is spelled with a colon
    • ex: @csp_header({‘default-src’:”‘none’”,’script-src’:”‘self’”, ‘font-src’: “data: ‘self’”})

Report only header

To set the header to “Report only” pass the key/value pair ‘report-only’:True to the custom header dict:

  1. from flask_csp.csp import csp_header
  2. ...
  3. @app.route('/')
  4. @csp_header({'report-only':True})

Change Default Policies

The default policies are as follows:

  1. {
  2. "default-src": "'self'",
  3. "script-src": "",
  4. "img-src": "",
  5. "object-src": "",
  6. "plugin-src": "",
  7. "style-src": "",
  8. "media-src": "",
  9. "child-src": "",
  10. "connect-src": "",
  11. "base-uri": "",
  12. "report-uri": "/csp_report"
  13. }

Edit default policies via command line:

  1. >>> from flask_csp.csp import csp_default
  2. >>> h = csp_default()
  3. >>> h.update({'child-src':"'self'"})

Edit default policies on flask app:

  1. from flask_csp.csp import csp_header, csp_default
  2. h = csp_default()
  3. h.update({'script-src':"'self' code.jquery.com"})

To view the default policies:

  1. >>> from flask_csp.csp import csp_default
  2. >>> h = csp_default()
  3. >>> h.read()

Note:

  • Python interpreter must be reloaded for changes to the default policies to take place

Violation Reports

Based on the default settings, reports will be sent to the route ‘csp_report’ through a POST request. This is totally customizable but here is a very simplistic example of handling these reports:

  1. @app.route('/csp_report',methods=['POST'])
  2. def csp_report():
  3. with open('/var/log/csp/csp_reports', "a") as fh:
  4. fh.write(request.data.decode()+"\n")
  5. return 'done'