File: control

package info (click to toggle)
flask-talisman 1.1.0-2
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid, trixie
  • size: 192 kB
  • sloc: python: 632; makefile: 7; sh: 5
file content (43 lines) | stat: -rw-r--r-- 2,068 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
 
Source: flask-talisman
Maintainer: Debian Python Team <team+python@tracker.debian.org>
Uploaders: Edward Betts <edward@4angle.com>
Section: python
Priority: optional
Build-Depends: debhelper-compat (= 13),
               dh-sequence-python3,
               python3-all,
               python3-flask,
               python3-pytest,
               python3-setuptools
Rules-Requires-Root: no
Standards-Version: 4.6.2
Homepage: https://github.com/wntrblm/flask-talisman
Vcs-Browser: https://salsa.debian.org/python-team/packages/flask-talisman
Vcs-Git: https://salsa.debian.org/python-team/packages/flask-talisman.git

Package: python3-flask-talisman
Architecture: all
Depends: ${misc:Depends}, ${python3:Depends}
Description: HTTP security headers for Flask
 Talisman is a small Flask extension that handles setting HTTP headers that can
 help protect against a few common web application security issues.
 .
 The default configuration:
 .
  * Forces all connects to https, unless running with debug enabled.
  * Enables HTTP Strict Transport Security.
  * Sets Flask's session cookie to secure, so it will never be set if your
    application is somehow accessed via a non-secure connection.
  * Sets Flask's session cookie to httponly, preventing JavaScript from being
    able to access its content. CSRF via Ajax uses a separate cookie and should
    be unaffected.
  * Sets X-Frame-Options to SAMEORIGIN to avoid clickjacking.
  * Sets X-XSS-Protection to enable a cross site scripting filter for IE and
    Safari (note Chrome has removed this and Firefox never supported it).
  * Sets X-Content-Type-Options to prevent content type sniffing.
  * Sets a strict Content Security Policy of default-src: 'self'. This is
    intended to almost completely prevent Cross Site Scripting (XSS) attacks.
    This is probably the only setting that you should reasonably change. See
    the Content Security Policy section.
  * Sets a strict Referrer-Policy of strict-origin-when-cross-origin that
    governs which referrer information should be included with requests made.