- Cross-Site Scripting (XSS)
- Cross-Site Request Forgery (CSRF)
For implementing HTTPS on your server
Below some packages in suggestion order that implements this protocol:
This sections contains sections headers supported by Flask and a list of packages in suggestion order that implements it
- Content Security Policy (CSP)
For enhancing security and preventing common web vulnerabilities such as cross-site scripting and MITM related attacks
Content-Security-Policy: default-src https:; script-src 'nonce-{random}'; object-src 'none'
To learn more check this link
- HTTP Strict Transport Security (HSTS)
For automatically redirect HTTP to HTTPS on all the website url's and prevent MITM attacks
Strict-Transport-Security: max-age=
Strict-Transport-Security: max-age=; includeSubDomains
Strict-Transport-Security: max-age=; preload
To learn more check this link
-
X-FRAME-OPTIONS (Clickjacking protection)
Prevents the client clicking page elements outside of the website avoiding hijacking or UI redress attacks
X-Frame-Options: DENY
X-Frame-Options: SAMEORIGIN
X-Frame-Options: ALLOW-FROM https://example.com/
To learn more check this link
Prevents XSS by blocking requests on clients and forcing then to read the content type instead of first opening it.
X-Content-Type-Options: nosniff
To learn more check this link
For setting cookies on client-side storage
Set-Cookie: [cookie-name]=[cookie-value]
To learn more check this link
- HTTP Public Key Pinning (HPKP)
For associating clients with web servers throught a certificate key and prevent MITM attacks
Public-Key-Pins: pin-sha256="base64=="; max-age=expireTime [; includeSubDomains][; report-uri="reportURI"]
To learn more check this link