secure.py 🔒 is a lightweight package that adds optional security headers for Python web frameworks.
aiohttp,Bottle,CherryPy,Django,Falcon,FastAPI,Flask,hug,Masonite,Pyramid,Quart,Responder,Sanic,Starlette,Tornado
pip:
pip install secure
Pipenv:
pipenv install secure
After installing secure:
importsecure
secure_headers=secure.Secure()
secure_headers.framework(response)
Default HTTP response headers:
strict-transport-security:max-age=63072000; includeSubdomains
x-frame-options:SAMEORIGIN
x-xss-protection:0
x-content-type-options:nosniff
referrer-policy:no-referrer, strict-origin-when-cross-origin
cache-control:no-store
Content Security Policy builder:
csp=(
secure.ContentSecurityPolicy()
.default_src("'none'")
.base_uri("'self'")
.connect_src("'self'","api.spam")
.frame_src("'none'")
.img_src("'self'","static.spam")
)
secure_headers=secure.Secure(csp=csp)
HTTP response headers:
strict-transport-security:max-age=63072000; includeSubdomains
x-frame-options:SAMEORIGIN
x-xss-protection:0
x-content-type-options:nosniff
referrer-policy:no-referrer, strict-origin-when-cross-origin
cache-control:no-store
content-security-policy:default-src 'none'; base-uri 'self'; connect-src 'self' api.spam; frame-src 'none'; img-src 'self' static.spam "
Please see the full set of documentation athttps://secure.readthedocs.io
importuvicorn
fromfastapiimportFastAPI
importsecure
app=FastAPI()
server=secure.Server().set("Secure")
csp=(
secure.ContentSecurityPolicy()
.default_src("'none'")
.base_uri("'self'")
.connect_src("'self'""api.spam")
.frame_src("'none'")
.img_src("'self'","static.spam")
)
hsts=secure.StrictTransportSecurity().include_subdomains().preload().max_age(2592000)
referrer=secure.ReferrerPolicy().no_referrer()
permissions_value=(
secure.PermissionsPolicy().geolocation("self","'spam '").vibrate()
)
cache_value=secure.CacheControl().must_revalidate()
secure_headers=secure.Secure(
server=server,
csp=csp,
hsts=hsts,
referrer=referrer,
permissions=permissions_value,
cache=cache_value,
)
@app.middleware("http")
asyncdefset_secure_headers(request,call_next):
response=awaitcall_next(request)
secure_headers.framework.fastapi(response)
returnresponse
@app.get("/")
asyncdefroot():
return{"message":"Secure"}
if__name__=="__main__":
uvicorn.run(app,port=8081,host="localhost")
HTTP response headers:
server:Secure
strict-transport-security:includeSubDomains; preload; max-age=2592000
x-frame-options:SAMEORIGIN
x-xss-protection:0
x-content-type-options:nosniff
content-security-policy:default-src 'none'; base-uri 'self'; connect-src 'self'api.spam; frame-src 'none'; img-src 'self' static.spam
referrer-policy:no-referrer
cache-control:must-revalidate
permissions-policy:geolocation=(self 'spam '), vibrate=()