Skip to content
/ secure Public

Implement secure headers in Python web frameworks to enhance application security

secure.rtfd.io

License

MIT license
685 stars 27 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

TypeError/secure

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

History

90 Commits
docs
docs
secure
secure
tests
tests
.gitignore
.gitignore
.readthedocs.yaml
.readthedocs.yaml
.travis.yml
.travis.yml
LICENSE
LICENSE
MANIFEST.in
MANIFEST.in
README.md
README.md
dev-requirements.txt
dev-requirements.txt
setup.py
setup.py

Repository files navigation

secure.py

image Python 3 image image Build Status

secure.py 🔒 is a lightweight package that adds optional security headers for Python web frameworks.

Supported Python web frameworks

aiohttp,Bottle,CherryPy,Django,Falcon,FastAPI,Flask,hug,Masonite,Pyramid,Quart,Responder,Sanic,Starlette,Tornado

Install

pip:

pip install secure

Pipenv:

pipenv install secure

After installing secure:

importsecure

secure_headers=secure.Secure()

Secure Headers

Example

secure_headers.framework(response)

Default HTTP response headers:

strict-transport-security:max-age=63072000; includeSubdomains
x-frame-options:SAMEORIGIN
x-xss-protection:0
x-content-type-options:nosniff
referrer-policy:no-referrer, strict-origin-when-cross-origin
cache-control:no-store

Policy Builders

Policy Builder Example

Content Security Policy builder:

csp=(
secure.ContentSecurityPolicy()
.default_src("'none'")
.base_uri("'self'")
.connect_src("'self'","api.spam")
.frame_src("'none'")
.img_src("'self'","static.spam")
)
secure_headers=secure.Secure(csp=csp)

HTTP response headers:

strict-transport-security:max-age=63072000; includeSubdomains
x-frame-options:SAMEORIGIN
x-xss-protection:0
x-content-type-options:nosniff
referrer-policy:no-referrer, strict-origin-when-cross-origin
cache-control:no-store
content-security-policy:default-src 'none'; base-uri 'self'; connect-src 'self' api.spam; frame-src 'none'; img-src 'self' static.spam "

Documentation

Please see the full set of documentation athttps://secure.readthedocs.io

FastAPI Example

importuvicorn
fromfastapiimportFastAPI
importsecure

app=FastAPI()

server=secure.Server().set("Secure")

csp=(
secure.ContentSecurityPolicy()
.default_src("'none'")
.base_uri("'self'")
.connect_src("'self'""api.spam")
.frame_src("'none'")
.img_src("'self'","static.spam")
)

hsts=secure.StrictTransportSecurity().include_subdomains().preload().max_age(2592000)

referrer=secure.ReferrerPolicy().no_referrer()

permissions_value=(
secure.PermissionsPolicy().geolocation("self","'spam '").vibrate()
)

cache_value=secure.CacheControl().must_revalidate()

secure_headers=secure.Secure(
server=server,
csp=csp,
hsts=hsts,
referrer=referrer,
permissions=permissions_value,
cache=cache_value,
)


@app.middleware("http")
asyncdefset_secure_headers(request,call_next):
response=awaitcall_next(request)
secure_headers.framework.fastapi(response)
returnresponse


@app.get("/")
asyncdefroot():
return{"message":"Secure"}


if__name__=="__main__":
uvicorn.run(app,port=8081,host="localhost")

HTTP response headers:

server:Secure
strict-transport-security:includeSubDomains; preload; max-age=2592000
x-frame-options:SAMEORIGIN
x-xss-protection:0
x-content-type-options:nosniff
content-security-policy:default-src 'none'; base-uri 'self'; connect-src 'self'api.spam; frame-src 'none'; img-src 'self' static.spam
referrer-policy:no-referrer
cache-control:must-revalidate
permissions-policy:geolocation=(self 'spam '), vibrate=()

Resources

About

Implement secure headers in Python web frameworks to enhance application security

secure.rtfd.io

Topics

flask django cherrypy sanic aiohttp falcon tornado pyramid responder bottle masonite starlette fastapi

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

685 stars

Watchers

15 watching

Forks

27 forks
Report repository

Releases 3

v0.3.0 Latest
Apr 27, 2021
+ 2 releases

Packages

No packages published

Contributors 8

Languages