Commit Graph

14 Commits

Author SHA1 Message Date
Matt Scott
bad36b5e75 Added default CAPTCHA settings to default configuration.
Added flash_sessions directory pattern to git ignore file.
2023-02-18 19:18:59 -05:00
Matt Scott
47b50e5e1e Updated default app config to comment out MySQL default settings. 2023-02-17 19:35:36 -05:00
Matt Scott
e82759cbc4 Updated Docker file to include npm as a new requirement for the admin-lte npm module.
Also added session persistence setting to default and docker configuration files.

Changed the default persistence configuration of the default config file to use SQLite instead of MySQL.
2023-02-17 19:00:09 -05:00
Matt Scott
948973ac83 Merge branch 'feature/privacy-first' 2023-01-24 05:32:38 -05:00
corubba
3a8ad7c444 Remove OFFLINE_MODE config option 2022-06-18 19:11:16 +02:00
corubba
52b704baeb Set SameSite on cookies
Setting this attribute on a cookie marks it as non-cross-site, so it
is only send in requests to our own server. It is reasonable that no
one else should need our session or csrf data. Setting it explicitly
also prevents any issues from the ongoing change in browser behaviour [0]
when it is unset.

Seasurf supports the SameSite attribute starting with v0.3. As nothing
obviously broke, I used the opportunity and updated all the way to the
most recent version.

The SeaSurf default for SameSite is already `Lax`, so it only needs to
be set for the session cookie.

[0] https://developers.google.com/search/blog/2020/01/get-ready-for-new-samesitenone-secure
2022-06-18 18:51:42 +02:00
corubba
ae2ad6527a Set csrf cookie to httponly
The CSRF token is currently inserted directly in the template and not
in the browser via JavaScript from the cookie, so making it inaccessible
is not a problem.

The Sesson-cookie is already httponly by default [0].

[0] https://flask.palletsprojects.com/en/2.1.x/config/?highlight=session_cookie_httponly#SESSION_COOKIE_HTTPONLY
2022-06-18 18:51:42 +02:00
Dominic Zöller
701a442d12 default config: add exemplary URL encoding step for SQLA DB URL params
SQLAlchemy database URLs follow RFC-1738, so parameters like username
and password need to be encoded accordingly.

https://docs.sqlalchemy.org/en/13/core/engines.html#database-urls
2021-11-30 22:29:00 +01:00
jodygilbert
7f86730909
allow-server-side-sessions (#855) 2021-01-24 09:09:53 +01:00
Khanh Ngo
a3fd856dd8
Code refactoring and bug fixes 2020-06-19 08:47:51 +07:00
Roei Ganor
483c767d26 Offline installation and searchable inputs 2020-04-30 17:20:37 +00:00
Attila DEBRECZENI
a581aa3cf2 add SAML_ASSERTION_ENCRYPTED envrionment 2020-03-25 21:35:20 +00:00
Khanh Ngo
840e2a4750 Update docker stuff and bug fixes 2019-12-04 11:50:46 +07:00
Khanh Ngo
8ea00b9484
Refactoring the code
- Use Flask blueprint
- Split model and views into smaller parts
- Bug fixes
- API adjustment
2019-12-02 10:32:03 +07:00