Securing the app
Much of what we’ve done so far uses secure defaults (for example, the Strict SameSite setting used in Chapter 2, Creating a Reusable Backend with Quart), however, there is always more than can be done to secure an app. Specifically, we can utilize secure headers to limit what the browser will allow the page to do, further protect against account enumeration, and limit the accounts that can register to limit spam. Let’s look at those security options now.
Adding secure headers
To further secure our app, we can utilize additional secure headers to limit what the browser will allow the app to do. These headers should be added to every response the app sends; we can do this by adding the following to backend/src/backend/run.py:
from quart import Response from werkzeug.http import COOP @app.after_request async def add_headers(response: Response) -> Response: response.content_security_policy.default_src = "'self...