Adding Security Headers to a Proxy-Deployed Flask API

Problem Description

A SaaS company runs a Flask REST API behind an AWS Application Load Balancer (ALB). The ALB handles TLS termination — all traffic from the ALB to the Flask service travels over plain HTTP on the internal network.

The team has decided to add security headers to harden the API. A colleague quickly added Flask-Talisman to the app, but after deploying the change, the API became completely unreachable: clients were hitting an infinite redirect loop. The colleague reverted the change and has asked you to add the security headers correctly so they work behind the ALB without causing redirects.

The current (reverted) state of the app is shown below. Add Talisman with the correct settings for this deployment, and update requirements.txt to include the new dependency.

Output Specification

Produce the following files:

• app.py — the updated Flask application with Talisman correctly configured
• requirements.txt — updated dependencies

Input Files

The following files are provided as inputs. Extract them before beginning.

=============== FILE: app.py =============== import os from flask import Flask, jsonify, request

def create_app(): app = Flask(name) app.config['SECRET_KEY'] = os.getenv('SECRET_KEY') if not app.config['SECRET_KEY'] and not app.config.get('TESTING'): raise RuntimeError('SECRET_KEY environment variable is required')

@app.route('/api/health', methods=['GET'])
def health():
    return jsonify({'status': 'ok'})

@app.route('/api/data', methods=['GET'])
def get_data():
    return jsonify({'records': [1, 2, 3]})

@app.route('/api/data', methods=['POST'])
def create_data():
    data = request.get_json(silent=True)
    if data is None:
        return jsonify({'error': 'Request body must be JSON'}), 400
    return jsonify({'created': True}), 201

return app

if name == 'main': app = create_app() app.run()

=============== FILE: requirements.txt =============== flask>=3.0