Merge pull request #22 from Demindiro/security-fixes

Demindiro · Feb 1, 2023 · 09f56bd · 09f56bd
2 parents 9b63006 + a372d7d
commit 09f56bd
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 1 deletion.
diff --git a/Makefile b/Makefile
@@ -4,7 +4,7 @@ SQLITE = sqlite3
 
 default: venv
 
-test:: venv
+test: venv
 	test/all.sh
 
 venv:
@@ -13,3 +13,5 @@ venv:
 
 forum.db:
 	$(SQLITE) $@ < schema.txt
+
+.PHONY: test
diff --git a/main.py b/main.py
@@ -14,6 +14,11 @@
 app = Flask(__name__)
 db = DB(os.getenv('DB'))
 
+# This defaults to None, which allows CSRF attacks in FireFox
+# and older versions of Chrome.
+# 'Lax' is sufficient to prevent malicious POST requests.
+app.config['SESSION_COOKIE_SAMESITE'] = 'Lax'
+
 class Config:
     pass
 config = Config()
@@ -28,6 +33,13 @@ class Role:
     MODERATOR = 1
     ADMIN = 2
 
+@app.after_request
+def after_request(response):
+    # This forbids other sites from embedding this site in an iframe,
+    # preventing clickjacking attacks.
+    response.headers['X-Frame-Options'] = 'DENY'
+    return response
+
 @app.route('/')
 def index():
     return render_template(