flask-talisman + naglowki

app.py

@@ -49,6 +49,7 @@ from sqlalchemy import func, extract, inspect, or_
 from sqlalchemy.orm import joinedload
 from collections import defaultdict, deque
 from functools import wraps
+from flask_talisman import Talisman
 
 # OCR
 from collections import Counter
@@ -58,6 +59,28 @@ from pytesseract import Output
 
 app = Flask(__name__)
 app.config.from_object(Config)
+
+
+# Konfiguracja nagłówków bezpieczeństwa z .env
+csp_policy = None
+if app.config.get("ENABLE_CSP", True):
+    csp_policy = {
+        'default-src': "'self'",
+        'script-src': "'self'",
+        'style-src': "'self'",
+        'connect-src': "'self'",
+    }
+
+talisman = Talisman(
+    app,
+    force_https=app.config.get("ENABLE_HSTS", True),
+    strict_transport_security=app.config.get("ENABLE_HSTS", True),
+    frame_options="DENY" if app.config.get("ENABLE_XFO", True) else None,
+    content_security_policy=csp_policy,
+    x_content_type_options=app.config.get("ENABLE_XCTO", True),
+)
+
+
 register_heif_opener()  # pillow_heif dla HEIC
 
 ALLOWED_EXTENSIONS = {"png", "jpg", "jpeg", "gif", "webp", "heic"}