Tag: flask

Angular for the frontend, Python and Flask for the backend, and a SQL database to anchor our data.

25/03/2024 / kvnbbg / 0 Comments

Setting Up the Project 🛠️

Angular Setup

ng new task-app
cd task-app
ng serve

Python & Flask Backend

python -m venv venv
source venv/bin/activate

With our environment consecrated, Flask stands ready to breathe life into our server-side logic.

Integrating SQL Database 🗃️

The heart of our application—a SQL database—is next. Here, Flask SQLAlchemy weaves together our data model:

from flask import Flask, request, jsonify
from flask_sqlalchemy import SQLAlchemy

app = Flask(__name__)
app.config['SQLALCHEMY_DATABASE_URI'] = 'sqlite:///tasks.db'
app.config['SQLALCHEMY_TRACK_MODIFICATIONS'] = False
db = SQLAlchemy(app)

class Task(db.Model):
    id = db.Column(db.Integer, primary_key=True)
    title = db.Column(db.String(100), nullable=False)

@app.before_first_request
def create_tables():
    db.create_all()

@app.route('/task', methods=['POST'])
def add_task():
    data = request.get_json()
    new_task = Task(title=data['title'])
    db.session.add(new_task)
    db.session.commit()
    return jsonify({'message': 'Task created successfully'}), 201

@app.route('/tasks', methods=['GET'])
def get_tasks():
    tasks_query = Task.query.all()
    tasks = [{"id": task.id, "title": task.title} for task in tasks_query]
    return jsonify({'tasks': tasks})

@app.route('/task/<int:id>', methods=['PUT'])
def update_task(id):
    data = request.get_json()
    task = Task.query.filter_by(id=id).first()
    if not task:
        return jsonify({'message': 'Task not found'}), 404
    task.title = data['title']
    db.session.commit()
    return jsonify({'message': 'Task updated successfully'})

@app.route('/task/<int:id>', methods=['DELETE'])
def delete_task(id):
    task = Task.query.filter_by(id=id).first()
    if not task:
        return jsonify({'message': 'Task not found'}), 404
    db.session.delete(task)
    db.session.commit()
    return jsonify({'message': 'Task deleted successfully'})

if __name__ == '__main__':
    app.run(debug=True)

CSRF Protection with Angular

Angular, with its built-in CSRF defenses, ensures our application is fortified against cross-site request forgery:

import { HttpClient } from '@angular/common/http';
import { Injectable } from '@angular/core';

@Injectable({
  providedIn: 'root'
})
export class TaskService {
  constructor(private http: HttpClient) {}

  addTask(taskData: any) {
    return this.http.post('/api/tasks', taskData);
  }
}

This service acts as a conduit between our Angular frontend and Flask backend, ensuring tasks are managed with grace and efficiency.

CSRF Configuration in Flask

Ensuring Flask is prepared to parry CSRF attempts is paramount. Flask-WTF lends its strength to our defenses:

import os
from flask import Flask, render_template_string
from flask_wtf.csrf import CSRFProtect

app = Flask(__name__)
app.config['SECRET_KEY'] = os.getenv('SECRET_KEY', os.urandom(24))

csrf = CSRFProtect(app)

@app.route('/', methods=['GET', 'POST'])
def index():
    return render_template_string("...")

if __name__ == '__main__':
    app.run(debug=True)

With CSRFProtect invoked, our application is shielded, allowing us to focus on crafting user experiences without fear.

Database Management

22/03/2024 / kvnbbg / 0 Comments

At its core, a database is a systematic collection of data that supports the storage, manipulation, and retrieval of information. Databases can be relational (SQL) or non-relational (NoSQL), each serving different needs based on the structure and scalability requirements of your application.

Best Practices :

Data Sanitization : Always sanitize user inputs to prevent SQL injection attacks. This involves escaping potentially harmful characters before they’re processed by the database.
Privilege : Operate your database under the principle of least privilege, meaning users and applications should have only the minimum permissions necessary to perform their tasks.

Secure Requests and Authorization

HTTPS : Use HTTPS (Hypertext Transfer Protocol Secure) for all communications between the client and server. HTTPS encrypts data in transit, preventing attackers from intercepting sensitive information.

Authorization Tokens : Implement token-based authorization, such as JWT (JSON Web Tokens), to manage user sessions. Tokens should be securely stored (in HTTP-only cookies) and validated with each request to verify a user’s identity and permissions.

Click here to display content from YouTube.
Learn more in YouTube’s privacy policy.

Always display content from YouTube

Safeguarding Your Environment

Application and server configurations play a significant role in security. A misconfigured server or application can serve as an entry point for attackers.

Secure Configuration Practices:

Update Regularly: Keep your server software and dependencies up to date to protect against known vulnerabilities.
Minimal Exposure: Disable unnecessary services and features on your server to reduce potential attack surfaces.
Environment Variables: Store sensitive configuration options such as API keys and database credentials in environment variables, not in your codebase.

A Shield Against Cross-Site Request Forgery

Cross-Site Request Forgery (CSRF) is an attack that tricks the victim into submitting a malicious request. It exploits the trust that a site has in a user’s browser.

How CSRF Protection Works :

Token Generation : The server generates a unique, unpredictable token and sends it to the client’s browser as part of a form or an AJAX request.
Token Validation : When the client submits the form or makes a request, it must include this token. The server then validates the token before processing the request.
Token Invalidation : Tokens are invalidated after being used or after a certain period, requiring new tokens for subsequent requests.

Implementing CSRF tokens in forms and AJAX requests is a standard practice in modern web frameworks. This mechanism ensures that every state-changing request originates from your application, not an attacker.

Without Ajax (simplified)

Conclusion : Keeping Data Secure

Remember, security isn’t a one-time task but a continuous process of learning, implementing, and evolving with the digital landscape.

URL Parameters, and CSRF Protection in PHP Web Development

21/03/2024 / kvnbbg / 0 Comments

Understanding the $ Symbol in PHP

The $ symbol in PHP plays a pivotal role—it signifies the beginning of a variable name. Variables are fundamental in any programming language, acting as containers for storing data values. In PHP, the $ symbol precedes the variable’s name, indicating that what follows is a variable identifier. For example:$name = "John Doe";

Here, $name is a variable that stores the string “John Doe”. The $ symbol makes variables easily identifiable within the script, enhancing readability and maintaining a clean code structure.

Working with URL Parameters in PHP

URL parameters are a method of passing data from the client-side to the server-side in a web application. They are appended to the URL following a ? and separated by &. PHP can access these parameters via the superglobal arrays $_GET and $_POST, depending on the form submission method.

To capture a user’s name entered into a form and submitted via GET, the URL might look like this:http://example.com/form.php?name=John+Doe

In form.php, the PHP script retrieves the name using:$name = $_GET['name'];

Implementing CSRF Protection

Cross-Site Request Forgery (CSRF) is a security threat where unauthorized commands are transmitted from a user that the web application trusts. To mitigate this, web applications often use tokens that validate user requests. These tokens ensure that the incoming request originates from the application’s form.

In PHP, CSRF protection can be manually implemented by generating a token and including it in the form as a hidden input. This token is then validated upon form submission. This concept is similar to Python Flask’s {% csrf_token %} tag.

Example of generating a CSRF token in PHP:

session_start();

if (empty($_SESSION['csrf_token'])) {

$_SESSION['csrf_token'] = bin2hex(random_bytes(32));

}

Including the CSRF token in a form:

echo '<form method="post">';

echo '<input type="hidden" name="csrf_token" value="' . $_SESSION['csrf_token'] . '">';

// form fields here echo

'</form>';

Validating the CSRF token upon form submission:

if ($_POST['csrf_token'] === $_SESSION['csrf_token']) {

// Process form

}

else {

// Invalid CSRF token

}

Conclusion

Understanding the use of the $ symbol, managing URL parameters, and implementing CSRF protection are crucial components of PHP web development. By grasively these concepts, developers can enhance both the functionality and security of their web applications. Similar to practices in other frameworks like Flask, CSRF protection in PHP safeguards applications against unauthorized actions, ensuring a trustworthy environment for users to interact with.