Flask Blog Secure

A blog hosting website using Flask, with main focus on making it secure.

OWASP Top 10 (2017) Covered:
A1:2017-Injection
A2:2017-Broken Authentication
A3:2017-Sensitive Data Exposure
A5:2017-Broken Access Control
A6:2017-Security Misconfiguration
A7:2017-Cross-Site Scripting (XSS)
A8:2017-Insecure Deserialization
A10:2017-Insufficient Logging & Monitoring

Key Features • How To Use • Contributors • Credits • Related

Key Features

• Login Authentication
  • Registration
  • Login
    • Remember Me
    • Forget Password
  • Account
    • C.R.U.D User
    • 2 Factor Authorization
• Home Page
  • Display all posts
    • Pagination
  • Able to comment on posts
  • Able to purchase premium plan
    • Free Plan - Limited to 1 post/day
    • Premium Plan - No limitations
• C.R.U.D Post
  • Create new post
  • Read individual posts
  • Update own post
  • Delete own post
• Admin Page
  • Only admin can access this page
  • Able to modify all models
    • User, Post, Comment, Role
  • Dashboard page
    • See traffic within this web application

How To Use

To clone and run this application, you'll need Git and Python (which comes with pip) installed on your computer. From your command line:

# Clone this repository
$ git clone https://github.com/lgf2111/flask-blog-secure

# Go into the repository
$ cd flask-blog-secure

# Install dependencies
$ pip install -r requirements.txt

# Run the app 
# (Make sure have enrivonment variables ready)
$ python run.py

There are scripts for you to use to manipulate the database with ease:

# Create/Recreate database
# (Make sure have enrivonment variables ready)
$ python db_scripts/create_db.py

# Make specific user admin (Eg: lgf2111)
$ python db_scripts/make_admin.py
$ Username: lgf2111

# Reset login attempt for specific user (Eg: lgf2111)
$ python db_scripts/reset_login_attempt.py
$ Username: lgf2111

Note

If pip doesn't work, try pip3.

If python doesn't work, try python3.

Warning

This web application uses environmental variables. You will need to have them before running the it:

• EMAIL_USER
• EMAIL_PASS
• SECRET_KEY
• SQLALCHEMY_DATABASE_URI
• STRIPE_PUBLISHABLE_KEY
• STRIPE_SECRET_KEY
• SENTRY_SDK_DSN

To get the environment variables we'd used, you'll need to export them by running this in your command line:

# Export environmental variables in current shell
$ source env-export.sh

# Environmental variables exported are temporary, to manually remove, run this
$ source env-unset.sh

Windows:
# Export environmental variables in current shell:
$ Env:EMAIL_USER="[email protected]" 
$ Env:EMAIL_PASS="fkqkqjbmjvsisbic" 
$ Env:SECRET_KEY="5791628bb0b13ce0c676dfde280ba245" 
$ Env:SQLALCHEMY_DATABASE_URI="sqlite:///site.db" 
$ Env:STRIPE_PUBLISHABLE_KEY="pk_test_51KSAWdIh0gkoD8L83DDO7vbBvmC16lk4f6SwHoP9q2cdE3f517t75LXKqkjUeKPrypWOTSAxGVvUUOMl4WFRX0Rh00DF92sQn1" 
$ Env:STRIPE_SECRET_KEY="sk_test_51KSAWdIh0gkoD8L8FfHd5ZcBYn3m54by2WPc3PLc543DB0tWnR0h58S4A51KFzHaPwFGwxJ8N6262CNR7sEnwl5i00g99nryQJ" 
$ Env:SENTRY_SDK_DSN="https://[email protected]/6605916"

# To run the whole app, run this in current shell:
$ cd .\flask-blog-secure-submission\

$ py run.py

Contributors

This web application will not be possibly done without this team of developers:

• Justin (Project Leader)
  • A3:2017-Sensitive Data Exposure
  • A8:2017-Insecure Deserialization
• Ivan (Timekeeper)
  • A1:2017-Injection
  • A2:2017-Broken Authentication
• Chee Hao (Lead Developer)
  • A5:2017-Broken Access Control
  • A7:2017-Cross-Site Scripting (XSS)
• Guan Feng (Scrum Master)
  • A6:2017-Security Misconfiguration
  • A10:2017-Insufficient Logging & Monitoring

Credits

This application uses the following open source packages:

• Python
• Flask
• Flask-Admin
• Flask-Bcrypt
• flask_csp
• Flask_Limiter
• Flask_Login
• Flask_Mail
• Flask_MonitoringDashboard
• Flask_SQLAlchemy
• Flask_WTF
• itsdangerous
• Pillow
• pycryptodome
• sentry_sdk
• stripe
• WTForms

Related

Flask_Blog - CoreyMSchafer

Support

Or

---