Implement security best practices using Flask-Talisman #845
Conversation
|
That's nice :-) |
| app, | ||
| # Forcing HTTPS is the job of a reverse proxy | ||
| force_https=False, | ||
| # This is handled separately through the SESSION_COOKIE_SECURE Flask setting |
There was a problem hiding this comment.
Thanks for the comment. It's kinda counter-intuitive.
|
The contentious point is whether to enable cookie security by default. If yes (what I did here), it will silently break any HTTP setup (dev, prod): browsers will refuse to send the session cookie, so the user can't login to a project, change language, etc. After discussing on IRC, I'm leaning towards leaving it disabled by default, and document the setting so that admins can enable it if they know they are using HTTPS. It's a bit sad, but we have no way to know if we're behind a reverse proxy doing HTTPS or not. |
Hey, thanks for your review :) Yes, Flask-Talisman is kind of magical, but fortunately simple enough to trust it... What do you think about the default setting? |
|
I think it's okay to break things during a major upgrade, as will be the case for the next release. So, I would be advocating for having a setup which uses secure cookies by default, especially as it's mentioned in the upgrade docs. That being said, I'll let you decide, I don't have a strong opinion about it. |
|
I would like to agree with @almet but we can have a warning in the release notes saying that it'll be defaulted to |
|
I was concerned about the dev environment, because it's using plain HTTP. But browsers apparently have exceptions and they accept to send secure cookies to So, let's merge this! |
|
Looks good, thanks <3 |
No description provided.