A secure Todo API built with Flask, featuring comprehensive security measures and automated threat modeling using OWASP PyTM.
- Authentication: Secure login/logout with session management
- CSRF Protection: Built-in CSRF token validation
- Rate Limiting: Protection against brute force attacks
- Input Validation: Form validation using Flask-WTF
- Secure Headers: Implementation of security headers
- Environment Configuration: Secure handling of sensitive data
GET /: Landing page with API documentationPOST /login: User authenticationPOST /logout: Session terminationGET /dashboard: User dashboardGET /todos: List all todosPOST /todos: Create a new todoPUT /todos/<id>: Update a todoDELETE /todos/<id>: Delete a todo
-
Clone the repository:
git clone https://github.com/1B05H1N/threat-model-demo.git cd threat-model-demo -
Set up the virtual environment:
python -m venv venv source venv/bin/activate # On Windows: venv\Scripts\activate
-
Install dependencies:
pip install -r requirements.txt
-
Configure environment variables:
cp env.conf.example .env # Edit .env with your configuration -
Run the application:
make run
This project uses OWASP PyTM to automatically generate threat model diagrams for the application.
- File:
dfd.png - Purpose: Visualizes the flow of data between different components and boundaries (e.g., User, API, Database) in the system. It helps identify trust boundaries and potential attack surfaces.
- File:
sequence.png - Purpose: Shows the sequence of interactions between actors and system components for various operations (such as login, todo management). This helps in understanding the order of operations and where security controls are applied.
To regenerate the diagrams after making changes to the threat model:
make diagramsThis will:
- Run the threat model and output PlantUML and Graphviz code
- Generate
sequence.png(sequence diagram) - Generate
dfd.png(data flow diagram)
- DFD: Helps you and your team visualize trust boundaries, data stores, and the flow of sensitive information, which is essential for identifying and mitigating security risks.
- Sequence Diagram: Clarifies the order of operations and the involvement of security controls (like authentication, CSRF protection, and rate limiting) in each user interaction.
The project includes a GitHub Actions workflow that automatically generates and updates the threat model diagrams whenever changes are pushed to the repository.
- Runs on push to master and manual trigger
- Installs all required dependencies
- Generates sequence and data flow diagrams
- Automatically commits and pushes updated diagrams
- Uses GitHub's built-in token for secure authentication
You can manually trigger the workflow from the GitHub Actions tab in your repository.
- Python 3.11+
- Graphviz
- PlantUML
Run the test suite:
make testThe project follows PEP 8 guidelines. Use make lint to check code style.
Required environment variables:
SECRET_KEY: Flask application secret keyADMIN_USERNAME: Admin user usernameADMIN_PASSWORD: Admin user password
- Never commit
.envfile - Use strong, unique passwords
- Keep dependencies updated
- Review threat model regularly
- Monitor security headers
- Fork the repository
- Create a feature branch
- Commit your changes
- Push to the branch
- Create a Pull Request
This project is licensed under the MIT License - see the LICENSE file for details.
- OWASP PyTM for threat modeling automation
- Flask for the web framework
- Flask-WTF for form validation
- Flask-Limiter for rate limiting
1B05H1N - GitHub Profile