SecureChat was built to demonstrate secure software development principles in a real-world web application. It addresses the critical need for security-first design β tackling common vulnerabilities such as CSRF attacks, SQL injection, brute-force login attempts, insecure file uploads, and weak session management β while delivering a polished, modern user experience.
A Flask-based secure messaging application that provides:
- User Authentication with bcrypt-hashed passwords
- Role-Based Access Control (RBAC) with admin privileges
- CSRF-Protected Forms via Flask-WTF
- Rate-Limited Endpoints to prevent brute-force attacks
- Secure File Uploads with type validation and size limits
- Security Headers enforced via Flask-Talisman
- 4-Digit Verification Codes for destructive actions (delete)
- Users register and authenticate through a secure login system
- Messages are managed via full CRUD operations with ownership enforcement
- File attachments are validated, sanitized, and stored securely
- Rate limiting, CSRF tokens, and security headers protect every endpoint
- Sensitive configuration is loaded from environment variables
| Icon | Feature | Description |
|---|---|---|
| π | Bcrypt Password Hashing | Passwords are never stored in plaintext |
| π‘οΈ | CSRF Protection | All forms protected via Flask-WTF CSRF tokens |
| π¦ | Rate Limiting | Login endpoint restricted to 5 attempts/minute |
| π | Secure File Uploads | Type whitelist, filename sanitization, 5 MB limit |
| π·οΈ | Role-Based Access (RBAC) | Admin-only routes and ownership-based operations |
| π | Security Headers | Talisman enforces X-Frame-Options, HSTS, etc. |
| πͺ | Secure Cookies | HTTPOnly, SameSite=Lax, Secure flags enabled |
| π― | Delete Verification | Cryptographic 4-digit code required before deletion |
| π‘ | Server Fingerprint Masking | Custom server header hides technology stack |
| π¨ | Glassmorphism UI | Modern, responsive interface with AOS animations |
Backend:
- Python 3.8+
- Flask 3.x
- Flask-SQLAlchemy (ORM)
- Flask-Bcrypt (Password Hashing)
- Flask-WTF (CSRF Protection)
- Flask-Talisman (Security Headers)
- Flask-Limiter (Rate Limiting)
- python-dotenv (Environment Management)
Frontend:
- HTML5 / CSS3
- Bootstrap 5.3
- Google Fonts (Outfit)
- Font Awesome 6.4
- AOS (Animate On Scroll)
Database:
- SQLite (development)
SecureChat/
βββ templates/
β βββ index.html # Main chat console + hero page
β βββ login.html # Login form
β βββ register.html # Registration form
β βββ update.html # Message edit form
β βββ confirm_delete.html # Delete verification page
β βββ about.html # About / story page
β βββ 404.html # Custom 404 error page
β βββ 500.html # Custom 500 error page
βββ uploads/ # User-uploaded files (gitignored)
βββ instance/ # SQLite database (gitignored)
βββ app.py # Main Flask application
βββ forms.py # WTForms form definitions
βββ init_db.py # Database initialization script
βββ requirements.txt # Python dependencies
βββ .env # Environment variables (gitignored)
βββ .gitignore # Git exclusion rules
βββ README.md # This file
- Python 3.8 or later
- pip package manager
git clone https://github.com/MohidUmer/SecureChat.git
cd SecureChat
pip install -r requirements.txtCreate a .env file in the project root:
FLASK_SECRET_KEY=your_secret_key_here_change_in_production
DATABASE_URL=sqlite:///securechat.dbpython init_db.pypython app.pyAccess the application at: http://localhost:5000
- Registration with input validation (regex, length, email format)
- Bcrypt password hashing with salt
- Session-based authentication
- Login rate limiting (5 attempts/minute)
- Create messages with optional file attachments
- Read all messages in a live data log table
- Update messages with ownership verification
- Delete messages with 4-digit security code challenge
- Whitelist validation:
png, jpg, jpeg, gif, pdf, txt, doc, docx, zip secure_filename()sanitization to prevent path traversal- 5 MB maximum file size enforcement
- Unique stored filenames to prevent collisions
- Drag-and-drop upload UI with file chip previews
@login_requireddecorator for authenticated routes@admin_requireddecorator for admin-only operations- Ownership checks on edit/delete operations
- Admin users can manage all content
| Security Layer | Implementation | Threat Mitigated |
|---|---|---|
| Password Storage | Bcrypt hashing with salt | Credential theft |
| CSRF Protection | Flask-WTF hidden tokens on all forms | Cross-Site Request Forgery |
| Rate Limiting | Flask-Limiter (5/min on login) | Brute-force attacks |
| Security Headers | Flask-Talisman (X-Frame, HSTS, etc.) | Clickjacking, MITM |
| Input Validation | WTForms validators + regex | Injection attacks |
| File Upload | Whitelist + secure_filename + size limit | Malicious file upload |
| Session Security | HTTPOnly, SameSite, Secure cookie flags | Session hijacking |
| Delete Verification | Cryptographic 4-digit code (secrets module) | Accidental/unauthorized deletion |
| Server Masking | Custom Werkzeug version string | Technology fingerprinting |
| Environment Secrets | python-dotenv for keys and URIs | Secret exposure in code |
User Registers β Password Hashed (Bcrypt) β Account Created
β
User Logs In β Rate Limit Check β Session Established
β
User Sends Message β CSRF Validated β File Sanitized β Stored in DB
β
User Edits/Deletes β Ownership Verified β Action Authorized
β
Admin Operations β RBAC Check β Elevated Actions Permitted
- Passwords are hashed and salted β never stored in plaintext
- User sessions are HTTPOnly and SameSite protected
- File uploads are sanitized and stored with collision-resistant names
- No external analytics or tracking is implemented
- Environment variables keep secrets out of source code
- Rate limiting enforced via Flask-Limiter (200/day, 50/hour global; 5/min on login)
- CORS-ready architecture
- Custom error handlers for 404 and 500 responses
- Debug mode disabled in production
- Single SQLite database (not suitable for production at scale)
- No real-time WebSocket messaging (HTTP request/response model)
- No password reset / email verification flow
- No message encryption at rest
- Web-only interface (no mobile app)
1. Register a new account β Login
2. Type a message β Attach files (optional) β Execute Transmission
3. View messages in the Live Data Logs table
4. Edit your own messages via the modify button
5. Delete messages using the 4-digit security verification
- End-to-end message encryption
- WebSocket-based real-time messaging
- Password reset via email verification
- User profile pages with avatars
- Message search and filtering
- Database migration to PostgreSQL for production
- Docker containerization
- Two-factor authentication (2FA)
SecureChat demonstrates:
- Secure authentication with password hashing and session management
- CSRF protection across all state-changing operations
- Rate limiting to prevent abuse
- Secure file handling with validation and sanitization
- Role-based access control with decorators
- Security headers via middleware
- Environment-based configuration for secret management
- Modern UI/UX design with glassmorphism and animations
Name: Mohid Umer
Email: [email protected]
- Educational and personal use only
- Proper attribution required
- Not permitted for academic plagiarism
- See repository LICENSE for details
SecureChat showcases modern secure software development principles through a practical, well-designed messaging application that prioritizes security at every layer of the stack.