A blog hosting website using Flask, with main focus on making it secure.
OWASP Top 10 (2017) Covered:
A1:2017-Injection
A2:2017-Broken Authentication
A3:2017-Sensitive Data Exposure
A5:2017-Broken Access Control
A6:2017-Security Misconfiguration
A7:2017-Cross-Site Scripting (XSS)
A8:2017-Insecure Deserialization
A10:2017-Insufficient Logging & Monitoring
Key Features • How To Use • Contributors • Credits • Related
- Login Authentication
- Registration
- Login
- Remember Me
- Forget Password
- Account
- C.R.U.D User
- 2 Factor Authorization
- Home Page
- Display all posts
- Pagination
- Able to comment on posts
- Able to purchase premium plan
- Free Plan - Limited to 1 post/day
- Premium Plan - No limitations
- Display all posts
- C.R.U.D Post
- Create new post
- Read individual posts
- Update own post
- Delete own post
- Admin Page
- Only admin can access this page
- Able to modify all models
- User, Post, Comment, Role
- Dashboard page
- See traffic within this web application
To clone and run this application, you'll need Git and Python (which comes with pip) installed on your computer. From your command line:
# Clone this repository
$ git clone https://github.com/lgf2111/flask-blog-secure
# Go into the repository
$ cd flask-blog-secure
# Install dependencies
$ pip install -r requirements.txt
# Run the app
# (Make sure have enrivonment variables ready)
$ python run.py
There are scripts for you to use to manipulate the database with ease:
# Create/Recreate database
# (Make sure have enrivonment variables ready)
$ python db_scripts/create_db.py
# Make specific user admin (Eg: lgf2111)
$ python db_scripts/make_admin.py
$ Username: lgf2111
# Reset login attempt for specific user (Eg: lgf2111)
$ python db_scripts/reset_login_attempt.py
$ Username: lgf2111
Note
If
pip
doesn't work, trypip3
.If
python
doesn't work, trypython3
.
Warning
This web application uses environmental variables. You will need to have them before running the it:
To get the environment variables we'd used, you'll need to export them by running this in your command line:
# Export environmental variables in current shell $ source env-export.sh # Environmental variables exported are temporary, to manually remove, run this $ source env-unset.shWindows: # Export environmental variables in current shell: $ Env:EMAIL_USER="[email protected]" $ Env:EMAIL_PASS="fkqkqjbmjvsisbic" $ Env:SECRET_KEY="5791628bb0b13ce0c676dfde280ba245" $ Env:SQLALCHEMY_DATABASE_URI="sqlite:///site.db" $ Env:STRIPE_PUBLISHABLE_KEY="pk_test_51KSAWdIh0gkoD8L83DDO7vbBvmC16lk4f6SwHoP9q2cdE3f517t75LXKqkjUeKPrypWOTSAxGVvUUOMl4WFRX0Rh00DF92sQn1" $ Env:STRIPE_SECRET_KEY="sk_test_51KSAWdIh0gkoD8L8FfHd5ZcBYn3m54by2WPc3PLc543DB0tWnR0h58S4A51KFzHaPwFGwxJ8N6262CNR7sEnwl5i00g99nryQJ" $ Env:SENTRY_SDK_DSN="https://[email protected]/6605916" # To run the whole app, run this in current shell: $ cd .\flask-blog-secure-submission\ $ py run.py
This web application will not be possibly done without this team of developers:
This application uses the following open source packages:
- Python
- Flask
- Flask-Admin
- Flask-Bcrypt
- flask_csp
- Flask_Limiter
- Flask_Login
- Flask_Mail
- Flask_MonitoringDashboard
- Flask_SQLAlchemy
- Flask_WTF
- itsdangerous
- Pillow
- pycryptodome
- sentry_sdk
- stripe
- WTForms
Flask_Blog - CoreyMSchafer
Or