THargreaves
commented
11 months ago I have familiarity with these ideas (years of CTF finally coming in handy haha) so can have a look through.
Open carlashworth opened 11 months ago
THargreaves
commented
11 months ago I have familiarity with these ideas (years of CTF finally coming in handy haha) so can have a look through.
THargreaves
commented
11 months ago We now have a certificate for SSL and I have modified the .htaccess file to redirect all http traffic to https. I've also enabled secure session cookies though it's not clear to me what the equivalent of REMEMBER_COOKIE_SECURE is for flask-security-too.
Still work to be done but I think that's the major vulnerability sorted.
THargreaves
commented
11 months ago Enabling secure session cookies results in
Bad Request
The CSRF session token is missing.Disabling for now.
As per https://blog.miguelgrinberg.com/post/cookie-security-for-flask-applications, there are some cookie settings that seem important to prevent certain attacks. The details are slightly above my understanding, but the resource seems to suggest that flask-login, and therefore flask-security, will likely have these settings.
I will experiment with turning them on, and if that does not break anything, submit a PR.