Admin Dashboard with Content Security Policy Support

Summary

Build a Flask web application with an admin interface that implements Content Security Policy (CSP) headers with dynamic nonce generation. The admin interface should be secure against XSS attacks by using CSP nonces for inline scripts and styles.

Requirements

1. Flask Application Setup

Create a Flask application with the following:

• A basic Flask app instance with a secret key
• An admin interface that serves as the main dashboard
• A custom index page for the admin interface

2. Content Security Policy Configuration

Implement CSP headers that:

• Generate a unique nonce value for each request
• Include the nonce in the CSP header's script-src and style-src directives
• Make the nonce available to templates for use in inline scripts and styles
• Apply CSP headers to all admin pages

3. Admin Interface

Create an admin interface with:

• A custom index view that displays a welcome message
• At least one inline script that uses the CSP nonce
• At least one inline style that uses the CSP nonce
• Proper integration with the Flask application

Dependencies { .dependencies }

Flask { .dependency }

Web framework for building the application.

Flask-Admin { .dependency }

Admin interface framework that supports CSP nonce generation.

Test Cases

Test 1: CSP Header Generation { .test-case }

File: test_csp.py { .test }

Test: Verify that CSP headers are present in admin responses

def test_csp_header_present(client):
    """Test that CSP header is present in admin page response"""
    response = client.get('/admin/')
    assert 'Content-Security-Policy' in response.headers
    csp_header = response.headers['Content-Security-Policy']
    assert 'script-src' in csp_header
    assert 'nonce-' in csp_header

Test 2: Nonce Uniqueness { .test-case }

File: test_csp.py { .test }

Test: Verify that each request generates a unique nonce

def test_nonce_uniqueness(client):
    """Test that each request generates a unique nonce"""
    response1 = client.get('/admin/')
    response2 = client.get('/admin/')

    csp_header1 = response1.headers.get('Content-Security-Policy', '')
    csp_header2 = response2.headers.get('Content-Security-Policy', '')

    # Extract nonce values from CSP headers
    import re
    nonce1 = re.search(r"nonce-([A-Za-z0-9+/=]+)", csp_header1)
    nonce2 = re.search(r"nonce-([A-Za-z0-9+/=]+)", csp_header2)

    assert nonce1 is not None
    assert nonce2 is not None
    assert nonce1.group(1) != nonce2.group(1)

Test 3: Nonce Template Integration { .test-case }

File: test_csp.py { .test }

Test: Verify that the nonce is available in templates

def test_nonce_in_template(client):
    """Test that nonce is accessible in template context"""
    response = client.get('/admin/')
    assert response.status_code == 200

    # Extract nonce from CSP header
    import re
    csp_header = response.headers.get('Content-Security-Policy', '')
    nonce_match = re.search(r"nonce-([A-Za-z0-9+/=]+)", csp_header)
    assert nonce_match is not None

    nonce_value = nonce_match.group(1)
    # Verify nonce is used in the HTML response
    assert f'nonce="{nonce_value}"' in response.get_data(as_text=True) or \
           f"nonce='{nonce_value}'" in response.get_data(as_text=True)

Constraints

• Use Flask-Admin's built-in CSP nonce support
• Do not hardcode nonce values
• Ensure nonces are cryptographically random
• The solution should be production-ready and secure

Expected Output

When running the application and accessing /admin/, the response should:

1. Include a Content-Security-Policy header with a unique nonce
2. Use the nonce in any inline scripts or styles in the admin interface
3. Pass all test cases