https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html#content-security-policy-csp
https://flask.palletsprojects.com/en/stable/web-security/
A CSP should be added to the project.
Content-Security-Policy: default-src 'self'; script-src 'self'; object-src 'none'; would only alllow to use scripts that are redistributed via the same host/port that the rest of the website.
If any injection via Username/Phonenumber etc is possible this will prevent malicious script to be loaded from external sources.
To protect against scripts shipped via an injection inline scripts need to be disabled. This will breaks some functionality that first needs to move to separate files.
Therefor a utility/lib must be created to replace the current make_response.
This will add the headers by default so we do not forget to add them.
https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html#content-security-policy-csp
https://flask.palletsprojects.com/en/stable/web-security/
A CSP should be added to the project.
Content-Security-Policy: default-src 'self'; script-src 'self'; object-src 'none';would only alllow to use scripts that are redistributed via the same host/port that the rest of the website.If any injection via Username/Phonenumber etc is possible this will prevent malicious script to be loaded from external sources.
To protect against scripts shipped via an injection inline scripts need to be disabled. This will breaks some functionality that first needs to move to separate files.
Therefor a utility/lib must be created to replace the current make_response.
This will add the headers by default so we do not forget to add them.