[security] Adding Flask-Talisman

[john-bodley]

CATEGORY

Choose one

• Bug Fix
• Enhancement (new features, refinement)
• Refactor
• Add tests
• Build / Development Environment
• Documentation

SUMMARY

As discussed in the Meetup on 2019-05-03 a security audit at Airbnb surfaced a few recommendations in terms of security header settings. Specifically they recommended:

• Setting the secure flag on session cookies
• Support HTTP Strict Transport Security (HSTS)

Reading through the Flask security documentation on security header they mention that the Flask-Talisman package can be used to manage various security headers.

It mentions that a subset of default configuration/options handles:

• Sets X-Frame-Options to SAMEORIGIN to avoid clickjacking.
• Sets Flask's session cookie to secure, so it will never be set if your application is somehow accessed via a non-secure connection.
• strict_transport_security, default True, whether to send HSTS headers.

The first one was already enabled for Superset and the later two addresses the two security concerns mentioned above. Unless we have dedicated or knowledgable security personnel, using something like Flask-Talisman with a blanket type approach to best practices around security seems like a good approach.

Note it's not apparent whether each Superset installation would want to handle security differently and currently the package is configurable only via the Talisman class or Talisman.init_app(...) options. In the future if we require this to be more configurable we could expose some of these configurations in Superset's configuration or leverage the mutator, i.e.,

# superset/__init__.py

talisman = Talisman()

# superset_config.py

FLASK_APP_MUTATOR = mutator

def mutator(app):
    from superset import talisman 
   
    talisman.init_app(app, force_https=False)

TEST PLAN

CI.

REVIEWERS

to: @betodealmeida @DiggidyDave @dpgaspar @graceguo-supercat @michellethomas @mistercrunch

[codecov-io]

Codecov Report

Merging #7443 into master will decrease coverage by <.01%.
The diff coverage is 100%.

@@            Coverage Diff             @@
##           master    #7443      +/-   ##
==========================================
- Coverage   65.26%   65.26%   -0.01%     
==========================================
  Files         430      430              
  Lines       21078    21080       +2     
  Branches     2338     2338              
==========================================
+ Hits        13757    13758       +1     
- Misses       7205     7206       +1     
  Partials      116      116

Impacted Files	Coverage Δ
superset/views/core.py	72.47% <ø> (-0.07%)	⬇️
superset/config.py	93.78% <100%> (ø)	⬆️
superset/__init__.py	74.62% <100%> (+0.38%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update c8bb7e0...1e02846. Read the comment docs.

[graceguo-supercat]

LGTM

[graceguo-supercat]

ping @betodealmeida @DiggidyDave

[mistercrunch]

LGTM

[DiggidyDave]

👍