Security Best Practices

Last updated: January 22, 2025

Security Headers

Our Flask template maintains an A+ rating on securityheaders.com by implementing all critical security headers:

  • Content-Security-Policy (CSP) - Controls which resources can be loaded and from where
  • X-Frame-Options - Prevents clickjacking by controlling iframe embedding
  • X-Content-Type-Options - Prevents MIME type sniffing
  • Strict-Transport-Security - Enforces HTTPS connections
  • Referrer-Policy - Controls how much referrer information is included with requests
  • Permissions-Policy - Declares which browser features and APIs can be used

Content Security Policy Configuration

The Content Security Policy is managed within your Flask application and can be configured to match your specific requirements. When integrating external resources or third-party services, you'll need to update the CSP directives to allow these connections.

Important Security Requirements:

  • We strictly prohibit the use of unsafe-eval and unsafe-inline in the CSP
  • An A+ rating on securityheaders.com is mandatory - an A rating is not sufficient
  • All script sources must be explicitly defined
  • Use nonces or hashes for inline scripts when absolutely necessary
Security Headers A+ Rating

Example of an A+ security rating from securityheaders.com

Security Monitoring Requirements

🔍 Regular Security Checks

It is mandatory to maintain an A+ security rating on securityheaders.com. After making any changes to your site:

  1. Run a scan at securityheaders.com
  2. Review any identified security concerns
  3. Address and fix any issues before deployment

Platform Security Measures

As your platform provider, we maintain comprehensive security measures:

  • EKS Security Management - Continuous monitoring and updates of Kubernetes clusters
  • Web Application Firewall (WAF) - Protection against common web exploits
  • Security Tools:
    • Kubescape - For Kubernetes security posture management
    • AWS Security Hub - For centralized security monitoring

Third-Party Integrations

WAF Rules for Webhooks

If your application requires webhook endpoints to receive traffic from third-party services:

  1. Contact us through Slack to request a WAF rule
  2. Provide details about the third-party service
  3. We'll configure appropriate WAF rules to allow legitimate traffic

Continuous Security Improvement

Security is an ongoing process, not a one-time achievement. We are continuously:

  • Monitoring for new security threats
  • Implementing proactive security measures
  • Updating our security tools and policies
  • Conducting regular security assessments

Need Help?

Join our Slack community to connect with other developers and get help in the #support channel.

Need Security Assistance?

If you have any security concerns or questions:

  • Join our Slack community
  • Report security issues in the #security channel
  • Contact our security team for urgent matters

Chat with our AI assistant