Flask-Talisman

1.1.0 · active · verified Fri Apr 10

Flask-Talisman is a small Flask extension that sets HTTP security headers to help protect against common web application security issues like Cross-Site Scripting (XSS) and clickjacking. It provides a simple way to configure Content Security Policy (CSP), HTTP Strict Transport Security (HSTS), X-Frame-Options, and more. The library is actively maintained, with version 1.1.0 released in August 2023, and releases typically occur as needed for bug fixes or new feature/policy additions. [1, 3, 5]

Warnings

deprecated Python 2.x support was officially deprecated in v1.0.0. Ensure your application runs on Python 3.x.
Fix: Migrate your application to Python 3.x to maintain compatibility and receive updates.
gotcha The default Content Security Policy (CSP) is very strict (e.g., `default-src: 'self', 'object-src': 'none'`) and will block inline scripts/styles and external resources. This commonly breaks frontend frameworks or CDN-hosted assets. [1, 3, 5, 15]
Fix: Customize the `content_security_policy` and `content_security_policy_nonce_in` arguments when initializing `Talisman` to explicitly allow necessary sources or use nonces for inline content. Avoid `unsafe-inline` if possible. [15]
breaking The `X-XSS-Protection` header is disabled by default starting from v1.1.0, aligning with browser deprecation of this header. This is a change in default behavior. [GitHub Release v1.1.0]
Fix: No direct fix needed as this is a security best practice change. Rely on a robust Content Security Policy instead of `X-XSS-Protection`.
gotcha Flask-Talisman is a fork of an earlier Google-maintained project that became unmaintained. While the current `wntrblm/flask-talisman` project is active, its history may be a consideration for long-term project stability. [5, 17]
Fix: Review the project's GitHub activity and community engagement for ongoing viability if long-term critical reliance is anticipated.
deprecated Permissions Policy directives have changed: `interest-cohort` was removed in v1.0.0, and `browsing-topics` was added and disabled by default in v1.1.0. [GitHub Release v1.0.0, v1.1.0]
Fix: Review your Permissions Policy configuration to remove deprecated directives and explicitly configure new privacy-related ones like `browsing-topics` if desired.

Install

pip install flask-talisman Install with pip

Imports

Talisman
```
from flask_talisman import Talisman
```

Quickstart

This quickstart initializes a Flask application and applies default strict security headers using Flask-Talisman. The default configuration includes HTTPS enforcement (unless `debug=True`), HSTS, strict Content Security Policy, and more. [1, 2, 3]

from flask import Flask
from flask_talisman import Talisman

app = Flask(__name__)
# Initialize Talisman with default strict security headers
talisman = Talisman(app)

@app.route('/')
def hello():
    return 'Hello, Secure World!'

if __name__ == '__main__':
    # In production, ensure debug=False and serve over HTTPS
    # For local development, you might need to adjust Talisman's force_https or debug settings
    app.run(debug=True)

view raw JSON →