{"id":2511,"library":"flask-talisman","title":"Flask-Talisman","description":"Flask-Talisman is a small Flask extension that sets HTTP security headers to help protect against common web application security issues like Cross-Site Scripting (XSS) and clickjacking. It provides a simple way to configure Content Security Policy (CSP), HTTP Strict Transport Security (HSTS), X-Frame-Options, and more. The library is actively maintained, with version 1.1.0 released in August 2023, and releases typically occur as needed for bug fixes or new feature/policy additions. [1, 3, 5]","status":"active","version":"1.1.0","language":"en","source_language":"en","source_url":"https://github.com/wntrblm/flask-talisman","tags":["flask","security","http headers","csp","hsts","xss","clickjacking"],"install":[{"cmd":"pip install flask-talisman","lang":"bash","label":"Install with pip"}],"dependencies":[{"reason":"Core web framework dependency for the extension.","package":"flask","optional":false}],"imports":[{"symbol":"Talisman","correct":"from flask_talisman import Talisman"}],"quickstart":{"code":"from flask import Flask\nfrom flask_talisman import Talisman\n\napp = Flask(__name__)\n# Initialize Talisman with default strict security headers\ntalisman = Talisman(app)\n\n@app.route('/')\ndef hello():\n    return 'Hello, Secure World!'\n\nif __name__ == '__main__':\n    # In production, ensure debug=False and serve over HTTPS\n    # For local development, you might need to adjust Talisman's force_https or debug settings\n    app.run(debug=True)","lang":"python","description":"This quickstart initializes a Flask application and applies default strict security headers using Flask-Talisman. The default configuration includes HTTPS enforcement (unless `debug=True`), HSTS, strict Content Security Policy, and more. [1, 2, 3]"},"warnings":[{"fix":"Migrate your application to Python 3.x to maintain compatibility and receive updates.","message":"Python 2.x support was officially deprecated in v1.0.0. Ensure your application runs on Python 3.x.","severity":"deprecated","affected_versions":">= 1.0.0"},{"fix":"Customize the `content_security_policy` and `content_security_policy_nonce_in` arguments when initializing `Talisman` to explicitly allow necessary sources or use nonces for inline content. Avoid `unsafe-inline` if possible. [15]","message":"The default Content Security Policy (CSP) is very strict (e.g., `default-src: 'self', 'object-src': 'none'`) and will block inline scripts/styles and external resources. This commonly breaks frontend frameworks or CDN-hosted assets. [1, 3, 5, 15]","severity":"gotcha","affected_versions":"All versions with default CSP"},{"fix":"No direct fix needed as this is a security best practice change. Rely on a robust Content Security Policy instead of `X-XSS-Protection`.","message":"The `X-XSS-Protection` header is disabled by default starting from v1.1.0, aligning with browser deprecation of this header. This is a change in default behavior. [GitHub Release v1.1.0]","severity":"breaking","affected_versions":">= 1.1.0"},{"fix":"Review the project's GitHub activity and community engagement for ongoing viability if long-term critical reliance is anticipated.","message":"Flask-Talisman is a fork of an earlier Google-maintained project that became unmaintained. While the current `wntrblm/flask-talisman` project is active, its history may be a consideration for long-term project stability. [5, 17]","severity":"gotcha","affected_versions":"All versions"},{"fix":"Review your Permissions Policy configuration to remove deprecated directives and explicitly configure new privacy-related ones like `browsing-topics` if desired.","message":"Permissions Policy directives have changed: `interest-cohort` was removed in v1.0.0, and `browsing-topics` was added and disabled by default in v1.1.0. [GitHub Release v1.0.0, v1.1.0]","severity":"deprecated","affected_versions":">= 1.0.0"}],"env_vars":null,"last_verified":"2026-04-10T00:00:00.000Z","next_check":"2026-07-09T00:00:00.000Z"}