This is a pre-production deployment of Warehouse, however changes made here WILL affect the production instance of PyPI.
Latest Version Dependencies status unknown Test status unknown Test coverage unknown
Project Description

Talisman is a small Flask extension that handles setting HTTP headers that can help protect against a few common web application security issues.

The default configuration:

  • Forces all connects to https, unless running with debug enabled.
  • Enables HTTP Strict Transport Security.
  • Enables HSTS preloading. If you register your application with Google’s HSTS preload list, Firefox and Chrome will never load your site over a non-secure connection.
  • Sets Flask’s session cookie to secure, so it will never be set if you application is somehow accessed via a non-secure connection.
  • Sets Flask’s session cookie to httponly, preventing JavaScript from being able to access its content. CSRF via Ajax uses a separate cookie and should be unaffected.
  • Sets X-Frame-Options to SAMEORIGIN to avoid clickjacking.
  • Sets a strict Content Security Policy of default-src: 'self'. This is intended to almost completely prevent Cross Site Scripting (XSS) attacks. This is probably the only setting that you should reasonably change. See the section below on configuring this.

In addition to Talisman, you should always use a cross-site request forgery (CSRF) library. I highly recommend Flask-SeaSurf, which is based on Django’s excellent library.

Installation & Basic Usage

Install via pip:

pip install talisman
from flask import Flask
from talisman import Talisman

app = Flask(__name__)

There is also a full Example App.


  • force_https, default True, forces all non-debug connects to https.
  • force_https_permanent, default False, uses 301 instead of 302 for https redirects.
  • frame_options, default SAMEORIGIN, can be SAMEORIGIN, DENY, or ALLOWFROM.
  • frame_options_allow_from, default None, a string indicating the domains that arrow allowed to embed the site via iframe.
  • strict_transport_security, default True, whether to send HSTS headers.
  • strict_transport_security_max_age, default ONE_YEAR_IN_SECS, length of time the browser will respect the HSTS header.
  • strict_transport_security_include_subdomains, default True, whether subdomains should also use HSTS.
  • content_security_policy, default default-src: 'self', see the section below.
  • session_cookie_secure, default True, set the session cookie to secure, preventing it from being sent over plain http.
  • session_cookie_http_only, default True, set the session cookie to httponly, preventing it from being read by JavaScript.

Per-view options

Sometimes you want to change the policy for a specific view. The frame_options, frame_options_allow_from, and content_security_policy options can be changed on a per-view basis.

from flask import Flask
from talisman import Talisman, ALLOW_FROM

app = Flask(__name__)
talisman = Talisman(app)

def normal():
    return 'Normal'

@talisman(frame_options=ALLOW_FROM, frame_options_allow_from='*')
def embeddable():
    return 'Embeddable'

Content Security Policy

The default content security policy is extremely strict, and will prevent loading any resources that are not in the same domain as the application.

A slightly more permissive policy is available at talisman.GOOGLE_CSP_POLICY, which allows loading Google-hosted JS libraries, fonts, and embeding media from YouTube and Maps.

You can and should create your own policy to suit your site’s needs. Here’s a few examples adapted from MDN:

Example 1

This is the default policy. A web site administrator wants all content to come from the site’s own origin (this excludes subdomains.)

csp = {
    'default-src': '\'self\''

Example 2

A web site administrator wants to allow content from a trusted domain and all its subdomains (it doesn’t have to be the same domain that the CSP is set on.)

csp = {
    'default-src': [

Example 3

A web site administrator wants to allow users of a web application to include images from any origin in their own content, but to restrict audio or video media to trusted providers, and all scripts only to a specific server that hosts trusted code.

csp = {
    'default-src': '\'self\'',
    'image-src': '*',
    'media-src': [
    'script-src': ''

Here, by default, content is only permitted from the document’s origin, with the following exceptions:

  • Images may loaded from anywhere (note the * wildcard).
  • Media is only allowed from and (and not from subdomains of those sites).
  • Executable script is only allowed from

Example 4

A web site administrator for an online banking site wants to ensure that all its content is loaded using SSL, in order to prevent attackers from eavesdropping on requests.

csp = {
    'default-src': ''

The server only permits access to documents being loaded specifically over HTTPS through the single origin

Example 5

A web site administrator of a web mail site wants to allow HTML in email, as well as images loaded from anywhere, but not JavaScript or other potentially dangerous content.

csp = {
    'default-src': [
    'img-src': '*'

Note that this example doesn’t specify a script-src; with the example CSP, this site uses the setting specified by the default-src directive, which means that scripts can be loaded only from the originating server.


This is not an official Google product, experimental or otherwise.

There is no silver bullet for web application security. Talisman can help, but security is more than just setting a few headers. Any public-facing web application should have a comprehensive approach to security.

Contributing changes


Release History

Release History


This version

History Node

TODO: Figure out how to actually get changelog content.

Changelog content for this version goes here.

Donec et mollis dolor. Praesent et diam eget libero egestas mattis sit amet vitae augue. Nam tincidunt congue enim, ut porta lorem lacinia consectetur. Donec ut libero sed arcu vehicula ultricies a non tortor. Lorem ipsum dolor sit amet, consectetur adipiscing elit.

Show More

Download Files

Download Files

TODO: Brief introduction on what you do with files - including link to relevant help section.

File Name & Checksum SHA256 Checksum Help Version File Type Upload Date
talisman-0.1.0-py2.py3-none-any.whl (13.2 kB) Copy SHA256 Checksum SHA256 py2.py3 Wheel Nov 13, 2015
talisman-0.1.0.tar.gz (10.1 kB) Copy SHA256 Checksum SHA256 Source Nov 13, 2015

Supported By

WebFaction WebFaction Technical Writing Elastic Elastic Search Pingdom Pingdom Monitoring Dyn Dyn DNS HPE HPE Development Sentry Sentry Error Logging CloudAMQP CloudAMQP RabbitMQ Heroku Heroku PaaS Kabu Creative Kabu Creative UX & Design Fastly Fastly CDN DigiCert DigiCert EV Certificate Rackspace Rackspace Cloud Servers DreamHost DreamHost Log Hosting