0
0
Flaskframework~20 mins

Secure headers configuration in Flask - Practice Problems & Coding Challenges

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf
Challenge - 5 Problems
🎖️
Secure Headers Mastery
Get all challenges correct to earn this badge!
Test your skills under time pressure!
component_behavior
intermediate
2:00remaining
What is the output of this Flask response header configuration?

Consider this Flask route that sets security headers. What headers will the client receive?

Flask
from flask import Flask, make_response
app = Flask(__name__)

@app.route('/')
def index():
    response = make_response('Hello')
    response.headers['X-Frame-Options'] = 'DENY'
    response.headers['Content-Security-Policy'] = "default-src 'self'"
    return response
A{"X-Frame-Options": "DENY", "Content-Security-Policy": "default-src 'self'"}
B{"X-Frame-Options": "SAMEORIGIN", "Content-Security-Policy": "default-src 'none'"}
C{"X-Content-Type-Options": "nosniff", "Content-Security-Policy": "default-src 'self'"}
D{"X-Frame-Options": "ALLOWALL", "Content-Security-Policy": "default-src 'self'"}
Attempts:
2 left
💡 Hint

Look at the exact header keys and values set in the code.

📝 Syntax
intermediate
2:00remaining
Which option causes a syntax error in Flask header setting?

Identify which code snippet will cause a syntax error when setting headers in Flask.

Flask
from flask import Flask, make_response
app = Flask(__name__)

@app.route('/')
def index():
    response = make_response('Hi')
    # Header setting line below
    # Replace with one of the options
    return response
Aresponse.headers['Content-Security-Policy'] = default-src 'self'
Bresponse.headers['X-Content-Type-Options'] = 'nosniff'
Cresponse.headers['X-Frame-Options'] = 'DENY'
Dresponse.headers['Referrer-Policy'] = 'no-referrer'
Attempts:
2 left
💡 Hint

Check if the header value is a valid Python string.

state_output
advanced
2:00remaining
What is the value of the 'Strict-Transport-Security' header after this Flask middleware runs?

This Flask middleware adds a security header. What is the header's value after a request?

Flask
from flask import Flask, request
app = Flask(__name__)

@app.after_request
def add_hsts_header(response):
    response.headers['Strict-Transport-Security'] = 'max-age=31536000; includeSubDomains'
    return response

@app.route('/')
def index():
    return 'Secure site'
A'max-age=31536000'
B'max-age=0; includeSubDomains'
CNo 'Strict-Transport-Security' header is set
D'max-age=31536000; includeSubDomains'
Attempts:
2 left
💡 Hint

Look at the exact string assigned to the header in the middleware.

🔧 Debug
advanced
2:00remaining
Why does this Flask app fail to set the 'X-Content-Type-Options' header?

Given this Flask code, why is the 'X-Content-Type-Options' header missing in the response?

Flask
from flask import Flask, make_response
app = Flask(__name__)

@app.route('/')
def index():
    response = make_response('Hello')
    response.headers.add('X-Content-Type-Options', 'nosniff')
    return 'Hello World!'
AThe header name is misspelled, so it is ignored
BThe header is added but the returned value is a string, not the response object
CFlask does not allow setting 'X-Content-Type-Options' header
DThe response.headers.add method does not exist
Attempts:
2 left
💡 Hint

Check what the route function returns.

🧠 Conceptual
expert
3:00remaining
Which header configuration best prevents clickjacking attacks in Flask?

Choose the header setting that most effectively prevents clickjacking.

Aresponse.headers['X-Frame-Options'] = 'DENY'
Bresponse.headers['X-Content-Type-Options'] = 'nosniff'
Cresponse.headers['Content-Security-Policy'] = "frame-ancestors 'none'"
Dresponse.headers['Referrer-Policy'] = 'no-referrer'
Attempts:
2 left
💡 Hint

Both 'X-Frame-Options' and 'Content-Security-Policy' can control framing, but one is more modern and flexible.