You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@superset.apache.org by GitBox <gi...@apache.org> on 2019/05/03 22:14:55 UTC

[GitHub] [incubator-superset] john-bodley opened a new pull request #7443: [security] Adding Flask-Talisman

john-bodley opened a new pull request #7443: [security] Adding Flask-Talisman
URL: https://github.com/apache/incubator-superset/pull/7443
 
 
   ### CATEGORY
   
   Choose one
   
   - [ ] Bug Fix
   - [x] Enhancement (new features, refinement)
   - [ ] Refactor
   - [ ] Add tests
   - [ ] Build / Development Environment
   - [ ] Documentation
   
   ### SUMMARY
   
   As discussed in the Meetup on [2019-05-03](https://docs.google.com/document/d/1xRLqmUn-G7WiPe8qZnfuvbrYHZ1jmk9aSv9Bhjis2tg/edit#) a security audit at Airbnb surfaced a few recommendations in terms of security header settings. Specifically they recommended:
   
   - Setting the secure flag on session cookies
   - Support HTTP Strict Transport Security (HSTS)
   
   Reading through the Flask security [documentation](http://flask.pocoo.org/docs/1.0/security/#security-headers) on security header they mention that the [Flask-Talisman](https://github.com/GoogleCloudPlatform/flask-talisman) package can be used to manage various security headers.   
   
   It mentions that a subset of default configuration/options handles: 
   
   > - Sets X-Frame-Options to SAMEORIGIN to avoid clickjacking.
   > - Sets Flask's session cookie to secure, so it will never be set if your application is somehow accessed via a non-secure connection.
   > - strict_transport_security, default True, whether to send HSTS headers.
   
   The first one was already enabled for Superset and the later two addresses the two security concerns mentioned above.  Unless we have dedicated or knowledgable security personnel, using something like Flask-Talisman with a blanket type approach to best practices around security seems like a good approach. 
   
   Note it's not apparent how security should be handled by different installations and currently the package is configurable only via the `Talisman` class or `Talisman.init_app(...)` options. In the future if we require this to be more configurable we could expose some of these configurations in Superset's configuration or leverage the mutator, i.e., 
   
   ```
   # superset/__init__.py
   
   talisman = Talisman()
   ```
   
   ```
   # superset_config.py
   
   FLASK_APP_MUTATOR = mutator
   
   def mutator(app):
       from superset import talisman 
      
       talisman.init_app(app, force_https=False)
   ```
   
   ### TEST PLAN
   
   CI. 
   
   ### REVIEWERS
   
   to: @betodealmeida @DiggidyDave @dpgaspar @graceguo-supercat @michellethomas @mistercrunch 
   

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services

---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org