'%3e%3cpath%20d='M3.389%209.069c0-.009.043-.033.029-.044L.029%207.77l3.287-1.197L6.574%207.77l.106.083.005%204-3.297%201.185V9.068ZM13.582%209.32V2.74l3.405%201.238v4.104L13.583%209.32ZM10.253%2014.66l-3.476%201.268v-4.027l3.476-1.313v4.072ZM10.253%2010.558l-3.476%201.239V7.784l3.476-1.268v4.042ZM10.253%2014.719v3.968L6.777%2020v-3.998l3.476-1.283ZM17%208.139v4.042l-3.418%201.239V9.378L17%208.138ZM3.3%2017.168%200%2015.943v-4.027l3.3%201.224v4.028ZM6.69%2011.916v4.027l-3.302%201.225v-4.072l3.301-1.18ZM6.69%203.743v4.012l-3.33-1.21V2.564l3.33%201.18Z'/%3e%3cpath%20d='M3.3%2013.066%200%2011.842V7.844l3.3%201.224v3.998ZM13.524%209.334l-.175.088.175-.014v4.027l-3.152%201.183-.06-.032v-3.983l1.986-.767-.111.006-1.876.657V6.531l3.213-1.224v4.027Zm-.263.133c-.065.008-.198.023-.233.088.065-.008.198-.023.233-.088Zm-.321.118c-.065.008-.198.023-.233.088.065-.009.198-.023.233-.088Zm-.321.118c-.066.008-.199.023-.234.088.065-.008.199-.023.234-.088ZM13.524%201.266v3.968l-3.213%201.195V2.46l3.213-1.194ZM10.253%202.475v3.968L6.777%207.726V3.743l3.476-1.268ZM8.2%204.458c-.304.064-.627.5-.708.79-.27.963.636%201.081%201.091.364.277-.437.354-1.308-.383-1.154ZM13.524%2013.51v3.983l-3.17%201.177c-.011%200-.043-.067-.043-.07v-3.895l3.213-1.195Zm-.884%201.63c-.495.085-1.068%201.015-.676%201.435.483.517%201.502-.636%201.147-1.246-.098-.169-.286-.221-.47-.19ZM10.165%202.387l-.037.065-3.395%201.249-3.345-1.212L6.88%201.21l3.285%201.178ZM13.437%201.177l-.088.073-3.057%201.127-3.034-1.082-.277-.133L10.151%200l3.286%201.177Z'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='a'%3e%3cpath%20fill='%23fff'%20d='M0%200h17v20H0z'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e){kind=small}
tessl/pypi-flask-admin
tessl install tessl/pypi-flask-admin@1.6.0Simple and extensible admin interface framework for Flask
Agent Success
Agent success rate when using this tile
86%
Improvement
Agent success rate improvement when using this tile compared to baseline
1.3x
Baseline
Agent success rate without this tile
66%
task.mdevals/scenario-1/
Admin Dashboard with Content Security Policy Support
Summary
Build a Flask web application with an admin interface that implements Content Security Policy (CSP) headers with dynamic nonce generation. The admin interface should be secure against XSS attacks by using CSP nonces for inline scripts and styles.
Requirements
1. Flask Application Setup
Create a Flask application with the following:
- A basic Flask app instance with a secret key
- An admin interface that serves as the main dashboard
- A custom index page for the admin interface
2. Content Security Policy Configuration
Implement CSP headers that:
- Generate a unique nonce value for each request
- Include the nonce in the CSP header's
script-srcandstyle-srcdirectives - Make the nonce available to templates for use in inline scripts and styles
- Apply CSP headers to all admin pages
3. Admin Interface
Create an admin interface with:
- A custom index view that displays a welcome message
- At least one inline script that uses the CSP nonce
- At least one inline style that uses the CSP nonce
- Proper integration with the Flask application
Dependencies { .dependencies }
Flask { .dependency }
Web framework for building the application.
Flask-Admin { .dependency }
Admin interface framework that supports CSP nonce generation.
Test Cases
Test 1: CSP Header Generation { .test-case }
File: test_csp.py { .test }
Test: Verify that CSP headers are present in admin responses
def test_csp_header_present(client):
"""Test that CSP header is present in admin page response"""
response = client.get('/admin/')
assert 'Content-Security-Policy' in response.headers
csp_header = response.headers['Content-Security-Policy']
assert 'script-src' in csp_header
assert 'nonce-' in csp_headerTest 2: Nonce Uniqueness { .test-case }
File: test_csp.py { .test }
Test: Verify that each request generates a unique nonce
def test_nonce_uniqueness(client):
"""Test that each request generates a unique nonce"""
response1 = client.get('/admin/')
response2 = client.get('/admin/')
csp_header1 = response1.headers.get('Content-Security-Policy', '')
csp_header2 = response2.headers.get('Content-Security-Policy', '')
# Extract nonce values from CSP headers
import re
nonce1 = re.search(r"nonce-([A-Za-z0-9+/=]+)", csp_header1)
nonce2 = re.search(r"nonce-([A-Za-z0-9+/=]+)", csp_header2)
assert nonce1 is not None
assert nonce2 is not None
assert nonce1.group(1) != nonce2.group(1)Test 3: Nonce Template Integration { .test-case }
File: test_csp.py { .test }
Test: Verify that the nonce is available in templates
def test_nonce_in_template(client):
"""Test that nonce is accessible in template context"""
response = client.get('/admin/')
assert response.status_code == 200
# Extract nonce from CSP header
import re
csp_header = response.headers.get('Content-Security-Policy', '')
nonce_match = re.search(r"nonce-([A-Za-z0-9+/=]+)", csp_header)
assert nonce_match is not None
nonce_value = nonce_match.group(1)
# Verify nonce is used in the HTML response
assert f'nonce="{nonce_value}"' in response.get_data(as_text=True) or \
f"nonce='{nonce_value}'" in response.get_data(as_text=True)Constraints
- Use Flask-Admin's built-in CSP nonce support
- Do not hardcode nonce values
- Ensure nonces are cryptographically random
- The solution should be production-ready and secure
Expected Output
When running the application and accessing /admin/, the response should:
- Include a
Content-Security-Policyheader with a unique nonce - Use the nonce in any inline scripts or styles in the admin interface
- Pass all test cases