Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/TypeError/secure
Implement secure headers in Python web frameworks to enhance application security
https://github.com/TypeError/secure
aiohttp bottle cherrypy django falcon fastapi flask masonite pyramid responder sanic starlette tornado
Last synced: 2 days ago
JSON representation
Implement secure headers in Python web frameworks to enhance application security
- Host: GitHub
- URL: https://github.com/TypeError/secure
- Owner: TypeError
- License: mit
- Created: 2018-11-27T00:59:09.000Z (over 5 years ago)
- Default Branch: master
- Last Pushed: 2024-05-18T10:08:09.000Z (about 2 months ago)
- Last Synced: 2024-06-28T11:27:38.442Z (5 days ago)
- Topics: aiohttp, bottle, cherrypy, django, falcon, fastapi, flask, masonite, pyramid, responder, sanic, starlette, tornado
- Language: Python
- Homepage: https://secure.rtfd.io
- Size: 126 KB
- Stars: 682
- Watchers: 16
- Forks: 28
- Open Issues: 3
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Lists
- my-awesome - TypeError/secure - Implement secure headers in Python web frameworks to enhance application security (Python)
- awesome-stars - secure
README
# secure.py
[![image](https://img.shields.io/pypi/v/secure.svg)](https://pypi.org/project/secure/)
[![Python 3](https://img.shields.io/badge/python-3-blue.svg)](https://www.python.org/downloads/)
[![image](https://img.shields.io/pypi/l/secure.svg)](https://pypi.org/project/secure/)
[![image](https://img.shields.io/badge/code%20style-black-000000.svg)](https://github.com/psf/black)
[![Build Status](https://travis-ci.org/TypeError/secure.svg?branch=master)](https://travis-ci.org/TypeError/secure)secure.py π is a lightweight package that adds optional security headers for Python web frameworks.
## Supported Python web frameworks
[aiohttp](https://docs.aiohttp.org), [Bottle](https://bottlepy.org), [CherryPy](https://cherrypy.org), [Django](https://www.djangoproject.com), [Falcon](https://falconframework.org), [FastAPI](https://fastapi.tiangolo.com), [Flask](http://flask.pocoo.org), [hug](http://www.hug.rest), [Masonite](https://docs.masoniteproject.com), [Pyramid](https://trypyramid.com), [Quart](https://pgjones.gitlab.io/quart/), [Responder](https://python-responder.org), [Sanic](https://sanicframework.org), [Starlette](https://www.starlette.io/), [Tornado](https://www.tornadoweb.org/)
## Install
**pip**:
```console
pip install secure
```**Pipenv**:
```console
pipenv install secure
```After installing secure:
```Python
import securesecure_headers = secure.Secure()
```## Secure Headers
### Example
`secure_headers.framework(response)`
**Default HTTP response headers:**
```HTTP
strict-transport-security: max-age=63072000; includeSubdomains
x-frame-options: SAMEORIGIN
x-xss-protection: 0
x-content-type-options: nosniff
referrer-policy: no-referrer, strict-origin-when-cross-origin
cache-control: no-store
```## Policy Builders
### Policy Builder Example
**Content Security Policy builder:**
```python
csp = (
secure.ContentSecurityPolicy()
.default_src("'none'")
.base_uri("'self'")
.connect_src("'self'", "api.spam.com")
.frame_src("'none'")
.img_src("'self'", "static.spam.com")
)
secure_headers = secure.Secure(csp=csp)
```**HTTP response headers:**
```HTTP
strict-transport-security: max-age=63072000; includeSubdomains
x-frame-options: SAMEORIGIN
x-xss-protection: 0
x-content-type-options: nosniff
referrer-policy: no-referrer, strict-origin-when-cross-origin
cache-control: no-store
content-security-policy: default-src 'none'; base-uri 'self'; connect-src 'self' api.spam.com; frame-src 'none'; img-src 'self' static.spam.com"
```## Documentation
Please see the full set of documentation at [https://secure.readthedocs.io](https://secure.readthedocs.io)
## FastAPI Example
```python
import uvicorn
from fastapi import FastAPI
import secureapp = FastAPI()
server = secure.Server().set("Secure")
csp = (
secure.ContentSecurityPolicy()
.default_src("'none'")
.base_uri("'self'")
.connect_src("'self'" "api.spam.com")
.frame_src("'none'")
.img_src("'self'", "static.spam.com")
)hsts = secure.StrictTransportSecurity().include_subdomains().preload().max_age(2592000)
referrer = secure.ReferrerPolicy().no_referrer()
permissions_value = (
secure.PermissionsPolicy().geolocation("self", "'spam.com'").vibrate()
)cache_value = secure.CacheControl().must_revalidate()
secure_headers = secure.Secure(
server=server,
csp=csp,
hsts=hsts,
referrer=referrer,
permissions=permissions_value,
cache=cache_value,
)@app.middleware("http")
async def set_secure_headers(request, call_next):
response = await call_next(request)
secure_headers.framework.fastapi(response)
return response@app.get("/")
async def root():
return {"message": "Secure"}if __name__ == "__main__":
uvicorn.run(app, port=8081, host="localhost")
```**HTTP response headers:**
```HTTP
server: Secure
strict-transport-security: includeSubDomains; preload; max-age=2592000
x-frame-options: SAMEORIGIN
x-xss-protection: 0
x-content-type-options: nosniff
content-security-policy: default-src 'none'; base-uri 'self'; connect-src 'self'api.spam.com; frame-src 'none'; img-src 'self' static.spam.com
referrer-policy: no-referrer
cache-control: must-revalidate
permissions-policy: geolocation=(self 'spam.com'), vibrate=()
```## Resources
- [kennethreitz/setup.py: π¦ A Humanβs Ultimate Guide to setup.py.](https://github.com/kennethreitz/setup.py)
- [OWASP - Secure Headers Project](https://www.owasp.org/index.php/OWASP_Secure_Headers_Project)
- [Mozilla Web Security](https://infosec.mozilla.org/guidelines/web_security)
- [securityheaders.com](https://securityheaders.com)
- [MDN Web Docs](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers#security)
- [web.dev](https://web.dev)
- [The World Wide Web Consortium (W3C)](https://www.w3.org)