0
0
Flaskframework~10 mins

Secure headers configuration in Flask - Interactive Code Practice

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf
Practice - 5 Tasks
Answer the questions below
1fill in blank
easy

Complete the code to add a security header to the Flask response.

Flask
from flask import Flask, make_response
app = Flask(__name__)

@app.route('/')
def index():
    response = make_response('Hello, world!')
    response.headers['[1]'] = 'nosniff'
    return response
Drag options to blanks, or click blank then click option'
AStrict-Transport-Security
BContent-Security-Policy
CX-Frame-Options
DX-Content-Type-Options
Attempts:
3 left
💡 Hint
Common Mistakes
Using Content-Security-Policy header instead, which is for different security purpose.
Using X-Frame-Options which controls framing, not content sniffing.
2fill in blank
medium

Complete the code to set the Content Security Policy header to allow only scripts from the same origin.

Flask
from flask import Flask, make_response
app = Flask(__name__)

@app.route('/')
def index():
    response = make_response('Hello, secure world!')
    response.headers['Content-Security-Policy'] = "script-src [1]"
    return response
Drag options to blanks, or click blank then click option'
A'unsafe-inline'
B'none'
C'self'
D'*'
Attempts:
3 left
💡 Hint
Common Mistakes
Using 'none' which blocks all scripts including your own.
Using '*' which allows scripts from anywhere, reducing security.
3fill in blank
hard

Fix the error in setting the Strict-Transport-Security header to enforce HTTPS for 1 year.

Flask
from flask import Flask, make_response
app = Flask(__name__)

@app.route('/')
def index():
    response = make_response('Secure HTTPS!')
    response.headers['Strict-Transport-Security'] = 'max-age=[1]'
    return response
Drag options to blanks, or click blank then click option'
A3600
B31536000
C86400
D0
Attempts:
3 left
💡 Hint
Common Mistakes
Using 3600 which is only 1 hour.
Using 0 which disables the header.
4fill in blank
hard

Fill both blanks to add X-Frame-Options header to deny framing and set X-XSS-Protection header to block mode.

Flask
from flask import Flask, make_response
app = Flask(__name__)

@app.route('/')
def index():
    response = make_response('No framing and XSS protection')
    response.headers['[1]'] = 'DENY'
    response.headers['[2]'] = '1; mode=block'
    return response
Drag options to blanks, or click blank then click option'
AX-Frame-Options
BContent-Security-Policy
CX-XSS-Protection
DStrict-Transport-Security
Attempts:
3 left
💡 Hint
Common Mistakes
Mixing up header names and values.
Using Content-Security-Policy instead of X-Frame-Options for framing.
5fill in blank
hard

Fill all three blanks to create a dictionary of security headers with correct keys and values.

Flask
security_headers = {
    '[1]': 'nosniff',
    '[2]': "script-src [3]"
}
Drag options to blanks, or click blank then click option'
AX-Content-Type-Options
BContent-Security-Policy
C'self'
DStrict-Transport-Security
Attempts:
3 left
💡 Hint
Common Mistakes
Using Strict-Transport-Security as a key for script-src policy.
Omitting quotes around 'self' in the policy value.