Source: flask-talisman Maintainer: Debian Python Team Uploaders: Edward Betts Section: python Priority: optional Build-Depends: debhelper-compat (= 13), dh-sequence-python3, python3-all, python3-flask, python3-pytest, python3-setuptools Rules-Requires-Root: no Standards-Version: 4.6.1 Homepage: https://github.com/wntrblm/flask-talisman Vcs-Browser: https://salsa.debian.org/python-team/packages/flask-talisman Vcs-Git: https://salsa.debian.org/python-team/packages/flask-talisman.git Package: python3-flask-talisman Architecture: all Depends: ${misc:Depends}, ${python3:Depends} Description: HTTP security headers for Flask Talisman is a small Flask extension that handles setting HTTP headers that can help protect against a few common web application security issues. . The default configuration: . * Forces all connects to https, unless running with debug enabled. * Enables HTTP Strict Transport Security. * Sets Flask's session cookie to secure, so it will never be set if your application is somehow accessed via a non-secure connection. * Sets Flask's session cookie to httponly, preventing JavaScript from being able to access its content. CSRF via Ajax uses a separate cookie and should be unaffected. * Sets X-Frame-Options to SAMEORIGIN to avoid clickjacking. * Sets X-XSS-Protection to enable a cross site scripting filter for IE and Safari (note Chrome has removed this and Firefox never supported it). * Sets X-Content-Type-Options to prevent content type sniffing. * Sets a strict Content Security Policy of default-src: 'self'. This is intended to almost completely prevent Cross Site Scripting (XSS) attacks. This is probably the only setting that you should reasonably change. See the Content Security Policy section. * Sets a strict Referrer-Policy of strict-origin-when-cross-origin that governs which referrer information should be included with requests made.