Merge pull request #22 from Demindiro/security-fixes

Author: Demindiro

Makefile

@@ -4,7 +4,7 @@ SQLITE = sqlite3
 
 default: venv
 
-test:: venv
+test: venv
 	test/all.sh
 
 venv:
@@ -13,3 +13,5 @@ venv:
 
 forum.db:
 	$(SQLITE) $@ < schema.txt
+
+.PHONY: test

main.py

@@ -14,6 +14,11 @@
 app = Flask(__name__)
 db = DB(os.getenv('DB'))
 
+# This defaults to None, which allows CSRF attacks in FireFox
+# and older versions of Chrome.
+# 'Lax' is sufficient to prevent malicious POST requests.
+app.config['SESSION_COOKIE_SAMESITE'] = 'Lax'
+
 class Config:
     pass
 config = Config()
@@ -28,6 +33,13 @@ class Role:
     MODERATOR = 1
     ADMIN = 2
 
+@app.after_request
+def after_request(response):
+    # This forbids other sites from embedding this site in an iframe,
+    # preventing clickjacking attacks.
+    response.headers['X-Frame-Options'] = 'DENY'
+    return response
+
 @app.route('/')
 def index():
     return render_template(