secure package¶

Submodules¶

secure.headers module¶

class secure.headers.CacheControl¶

Bases: object

Prevent cacheable HTTPS response

Resources: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control

immutable() → secure.headers.CacheControl¶

max_age(seconds: int) → secure.headers.CacheControl¶

max_stale(seconds: int) → secure.headers.CacheControl¶

min_fresh(seconds: int) → secure.headers.CacheControl¶

must_revalidate() → secure.headers.CacheControl¶

no_cache() → secure.headers.CacheControl¶

no_store() → secure.headers.CacheControl¶

no_transform() → secure.headers.CacheControl¶

only_if_cached() → secure.headers.CacheControl¶

private() → secure.headers.CacheControl¶

proxy_revalidate() → secure.headers.CacheControl¶

public() → secure.headers.CacheControl¶

s_maxage(seconds: int) → secure.headers.CacheControl¶

set(value: str) → secure.headers.CacheControl¶

Set custom value for Cache-control header

Parameters:	value (str) – custom header value
Returns:	CacheControl class
Return type:	CacheControl

stale_if_error(seconds: int) → secure.headers.CacheControl¶

stale_while_revalidate(seconds: int) → secure.headers.CacheControl¶

class secure.headers.ContentSecurityPolicy¶

Bases: object

Prevent Cross-site injections

Resources: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy https://developers.google.com/web/fundamentals/security/csp

base_uri(*sources) → secure.headers.ContentSecurityPolicy¶

Sets valid origins for <base>

Resources: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/base-uri

Parameters:	sources (str) – variable number of sources
Returns:	ContentSecurityPolicy class
Return type:	ContentSecurityPolicy

child_src(*sources) → secure.headers.ContentSecurityPolicy¶

Sets valid origins for web workers

Resources: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/child-src

Parameters:	sources (str) – variable number of sources
Returns:	ContentSecurityPolicy class
Return type:	ContentSecurityPolicy

connect_src(*sources) → secure.headers.ContentSecurityPolicy¶

Sets valid origins for script interfaces

Resources: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/connect-src

Parameters:	sources (str) – variable number of sources
Returns:	ContentSecurityPolicy class
Return type:	ContentSecurityPolicy

custom_directive(directive: str, *sources) → secure.headers.ContentSecurityPolicy¶

Set custom directive and sources

Parameters:	directive (str) – custom directive sources (str) – variable number of sources
Returns:	ContentSecurityPolicy class
Return type:	ContentSecurityPolicy

default_src(*sources) → secure.headers.ContentSecurityPolicy¶

Sets fallback valid orgins for other directives

Resouces: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/default-src

Parameters:	sources (str) – variable number of sources
Returns:	ContentSecurityPolicy class
Return type:	ContentSecurityPolicy

font_src(*sources) → secure.headers.ContentSecurityPolicy¶

Set valid origins for @font-face

Resouces: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/font-src

Parameters:	sources (str) – variable number of sources
Returns:	ContentSecurityPolicy class
Return type:	ContentSecurityPolicy

form_action(*sources) → secure.headers.ContentSecurityPolicy¶

Set valid origins for form submissions

Resouces: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/form-action

Parameters:	sources (str) – variable number of sources
Returns:	ContentSecurityPolicy class
Return type:	ContentSecurityPolicy

frame_ancestors(*sources) → secure.headers.ContentSecurityPolicy¶

Set valid origins that can embed the resource

Resouces: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors

Parameters:	sources (str) – variable number of sources
Returns:	ContentSecurityPolicy class
Return type:	ContentSecurityPolicy

frame_src(*sources) → secure.headers.ContentSecurityPolicy¶

Set valid origins for frames

Resouces: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-src

Parameters:	sources (str) – variable number of sources
Returns:	ContentSecurityPolicy class
Return type:	ContentSecurityPolicy

img_src(*sources) → secure.headers.ContentSecurityPolicy¶

Set valid origins for images

Resouces: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/img-src

Parameters:	sources (str) – variable number of sources
Returns:	ContentSecurityPolicy class
Return type:	ContentSecurityPolicy

manifest_src(*sources) → secure.headers.ContentSecurityPolicy¶

Set valid origins for manifest files

Resouces: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/manifest-src

Parameters:	sources (str) – variable number of sources
Returns:	ContentSecurityPolicy class
Return type:	ContentSecurityPolicy

media_src(*sources) → secure.headers.ContentSecurityPolicy¶

Set valid origins for media

Resouces: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/media-src

Parameters:	sources (str) – variable number of sources
Returns:	ContentSecurityPolicy class
Return type:	ContentSecurityPolicy

static nonce(value: str) → str¶

Creates a nonce format

Parameters:	value (str) – nounce value
Returns:	ContentSecurityPolicy class
Return type:	ContentSecurityPolicy

object_src(*sources) → secure.headers.ContentSecurityPolicy¶

Set valid origins for plugins

Resouces: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/object-src

Parameters:	sources (str) – variable number of sources
Returns:	ContentSecurityPolicy class
Return type:	ContentSecurityPolicy

prefetch_src(*sources) → secure.headers.ContentSecurityPolicy¶

Set valid resources that may prefetched or prerendered

Resouces: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/prefetch-src

Parameters:	sources (str) – variable number of sources
Returns:	ContentSecurityPolicy class
Return type:	ContentSecurityPolicy

report_only() → None¶: Set Content-Security-Policy header to Content-Security-Policy-Report-Only

report_to(report_to: secure.headers.ReportTo) → secure.headers.ContentSecurityPolicy¶

Configure reporting endpoints

Resouces: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-to

Parameters:	report_to (ReportTo) – ReportTo class
Returns:	ContentSecurityPolicy class
Return type:	ContentSecurityPolicy

report_uri(*values) → secure.headers.ContentSecurityPolicy¶

Configure reporting endpoints in an older format

Deprecated This header has been deprecated in favor of report-to. However, as it is not yet supported in most browsers, it is recommended to set both headers. Browsers that support report-to will ignore report-uri if both headers are set.

Resouces: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-uri

Parameters:	values (str) – variable number of URIs
Returns:	ContentSecurityPolicy class
Return type:	ContentSecurityPolicy

sandbox(*values) → secure.headers.ContentSecurityPolicy¶

Enables sandbox restrictions

Resouces: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/sandbox

Parameters:	values (str) – variable number of types
Returns:	ContentSecurityPolicy class
Return type:	ContentSecurityPolicy

script_src(*sources) → secure.headers.ContentSecurityPolicy¶

Set valid origins for JavaScript

Resouces: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src

Parameters:	sources (str) – variable number of types
Returns:	ContentSecurityPolicy class
Return type:	ContentSecurityPolicy

set(value: str) → secure.headers.ContentSecurityPolicy¶

Set custom value for Content-Security-Policy header

Parameters:	value (str) – custom header value
Returns:	ContentSecurityPolicy class
Return type:	ContentSecurityPolicy

style_src(*sources) → secure.headers.ContentSecurityPolicy¶

Set valid origins for styles

Resouces: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src

Parameters:	sources (str) – variable number of types
Returns:	ContentSecurityPolicy class
Return type:	ContentSecurityPolicy

upgrade_insecure_requests() → secure.headers.ContentSecurityPolicy¶

Upgrade HTTP URLs to HTTPS

Resouces: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/upgrade-insecure-requests

Returns:	ContentSecurityPolicy class
Return type:	ContentSecurityPolicy

worker_src(*sources) → secure.headers.ContentSecurityPolicy¶

Set valid origins for worker scripts

Resouces: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/worker-src

Parameters:	sources (str) – variable number of types
Returns:	ContentSecurityPolicy class
Return type:	ContentSecurityPolicy

class secure.headers.PermissionsPolicy¶

Bases: object

Disable browser features and APIs

Replaces the Feature-Policy header

Resources: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy https://github.com/w3c/webappsec-permissions-policy/blob/main/permissions-policy-explainer.md

accelerometer(*allowlist) → secure.headers.PermissionsPolicy¶

ambient_light_sensor(*allowlist) → secure.headers.PermissionsPolicy¶

autoplay(*allowlist) → secure.headers.PermissionsPolicy¶

battery(*allowlist) → secure.headers.PermissionsPolicy¶

camera(*allowlist) → secure.headers.PermissionsPolicy¶

clipboard_read(*allowlist) → secure.headers.PermissionsPolicy¶

clipboard_write(*allowlist) → secure.headers.PermissionsPolicy¶

cross_origin_isolated(*allowlist) → secure.headers.PermissionsPolicy¶

display_capture(*allowlist) → secure.headers.PermissionsPolicy¶

document_domain(*allowlist) → secure.headers.PermissionsPolicy¶

encrypted_media(*allowlist) → secure.headers.PermissionsPolicy¶

execution_while_not_rendered(*allowlist) → secure.headers.PermissionsPolicy¶

execution_while_out_of_viewport(*allowlist) → secure.headers.PermissionsPolicy¶

fullscreen(*allowlist) → secure.headers.PermissionsPolicy¶

gamepad(*allowlist) → secure.headers.PermissionsPolicy¶

geolocation(*allowlist) → secure.headers.PermissionsPolicy¶

gyroscope(*allowlist) → secure.headers.PermissionsPolicy¶

magnetometer(*allowlist) → secure.headers.PermissionsPolicy¶

microphone(*allowlist) → secure.headers.PermissionsPolicy¶

midi(*allowlist) → secure.headers.PermissionsPolicy¶

navigation_override(*allowlist) → secure.headers.PermissionsPolicy¶

payment(*allowlist) → secure.headers.PermissionsPolicy¶

picture_in_picture(*allowlist) → secure.headers.PermissionsPolicy¶

publickey_credentials_get(*allowlist) → secure.headers.PermissionsPolicy¶

screen_wake_lock(*allowlist) → secure.headers.PermissionsPolicy¶

set(value: str) → secure.headers.PermissionsPolicy¶

speaker(*allowlist) → secure.headers.PermissionsPolicy¶

speaker_selection(*allowlist) → secure.headers.PermissionsPolicy¶

sync_xhr(*allowlist) → secure.headers.PermissionsPolicy¶

usb(*allowlist) → secure.headers.PermissionsPolicy¶

vibrate(*allowlist) → secure.headers.PermissionsPolicy¶

vr(*allowlist) → secure.headers.PermissionsPolicy¶

web_share(*allowlist) → secure.headers.PermissionsPolicy¶

xr_spatial_tracking(*allowlist) → secure.headers.PermissionsPolicy¶

class secure.headers.ReferrerPolicy¶

Bases: object

Enable full referrer if same origin, remove path for cross origin and disable referrer in unsupported browsers

Resources: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy https://owasp.org/www-project-secure-headers/#referrer-policy

no_referrer() → secure.headers.ReferrerPolicy¶

The Referer header will not be sent

Returns:	ReferrerPolicy class
Return type:	ReferrerPolicy

no_referrer_when_downgrade() → secure.headers.ReferrerPolicy¶

The Referer header will not be sent if HTTPS -> HTTP

Returns:	ReferrerPolicy class
Return type:	ReferrerPolicy

origin() → secure.headers.ReferrerPolicy¶

The Referer header will contain only the origin

Returns:	ReferrerPolicy class
Return type:	ReferrerPolicy

origin_when_cross_origin() → secure.headers.ReferrerPolicy¶

The Referer header will contain the full URL but only the origin if cross-origin

Returns:	ReferrerPolicy class
Return type:	ReferrerPolicy

same_origin() → secure.headers.ReferrerPolicy¶

The Referer header will be sent with the full URL if same-origin

Returns:	ReferrerPolicy class
Return type:	ReferrerPolicy

set(value: str) → secure.headers.ReferrerPolicy¶

Set custom value for Referrer-Policy header

Parameters:	value (str) – custom header value
Returns:	ReferrerPolicy class
Return type:	ReferrerPolicy

strict_origin() → secure.headers.ReferrerPolicy¶

The Referer header will be sent only for same-origin

Returns:	ReferrerPolicy class
Return type:	ReferrerPolicy

strict_origin_when_cross_origin() → secure.headers.ReferrerPolicy¶

The Referer header will only contain the origin if HTTPS -> HTTP

Returns:	ReferrerPolicy class
Return type:	ReferrerPolicy

unsafe_url() → secure.headers.ReferrerPolicy¶

The Referer header will contain the full URL

Returns:	ReferrerPolicy class
Return type:	ReferrerPolicy

class secure.headers.ReportTo(max_age: int, include_subdomains: bool = False, group: Optional[str] = None, *endpoints)¶

Bases: object

Configure reporting endpoints

Resources: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-to https://developers.google.com/web/updates/2018/09/reportingapi

Parameters:	max_age (int) – endpoint TIL in seconds include_subdomains (bool, optional) – enable for subdomains, defaults to False group (Optional[str], optional) – endpoint name, defaults to None endpoints (List[Dict[str, Union[str, int]]]) – variable number of endpoints

set(value: str) → secure.headers.ReportTo¶

Set custom value for Report-To header

Parameters:	value (str) – custom header value
Returns:	ReportTo class
Return type:	ReportTo

class secure.headers.Server¶

Bases: object

Replace server header

set(value: str) → secure.headers.Server¶

Set custom value for Server header

Parameters:	value (str) – custom header value
Returns:	Server class
Return type:	Server

class secure.headers.StrictTransportSecurity¶

Bases: object

Ensure application communication is sent over HTTPS

Resources: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security https://owasp.org/www-project-secure-headers/#http-strict-transport-security

include_subdomains() → secure.headers.StrictTransportSecurity¶

Include subdomains to HSTS policy [Optional]

Returns:	[description]
Return type:	[type]

max_age(seconds: int) → secure.headers.StrictTransportSecurity¶

Instruct the browser to remember HTTPS preference until time (seconds) expires.

Parameters:	seconds (str) – time in seconds
Returns:	StrictTransportSecurity class
Return type:	StrictTransportSecurity

preload() → secure.headers.StrictTransportSecurity¶

Instruct browser to always use HTTPS [Optional]

Please see: https://hstspreload.org

Returns:	StrictTransportSecurity class
Return type:	StrictTransportSecurity

set(value: str) → secure.headers.StrictTransportSecurity¶

Set custom value for Strict-Transport-Security header

Parameters:	value (str) – custom header value
Returns:	StrictTransportSecurity class
Return type:	StrictTransportSecurity

class secure.headers.XContentTypeOptions¶

Bases: object

Prevent MIME-sniffing

Resources: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options https://owasp.org/www-project-secure-headers/#x-content-type-options

set(value: str) → secure.headers.XContentTypeOptions¶

Set custom value for X-Content-Type-Options header

Parameters:	value (str) – custom header value
Returns:	XContentTypeOptions class
Return type:	XContentTypeOptions

class secure.headers.XFrameOptions¶

Bases: object

Disable framing from different origins (clickjacking defense)

Resources: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options

deny() → secure.headers.XFrameOptions¶

Disable rending site in a frame

Returns:	XFrameOptions class
Return type:	XFrameOptions

sameorigin() → secure.headers.XFrameOptions¶

Disable rending site in a frame if not same origin

Returns:	XFrameOptions class
Return type:	XFrameOptions

set(value: str) → secure.headers.XFrameOptions¶

Set custom value for X-Frame-Options header

Parameters:	value (str) – custom header value
Returns:	XFrameOptions class
Return type:	XFrameOptions

class secure.headers.XXSSProtection¶

Bases: object

Enable browser Cross-Site Scripting filters

Deprecated

Recommended to utilize Content-Security-Policy instead of the legacy X-XSS-Protection header.

Resources: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection https://owasp.org/www-project-secure-headers/#x-xss-protection

set(value: str) → secure.headers.XXSSProtection¶

Set custom value for X-XSS-Protection header

Parameters:	value (str) – custom header value
Returns:	XXSSProtection class
Return type:	XXSSProtection

secure.secure module¶

class secure.secure.Secure(server: Optional[secure.headers.Server] = None, hsts: Optional[secure.headers.StrictTransportSecurity] = <secure.headers.StrictTransportSecurity object>, xfo: Optional[secure.headers.XFrameOptions] = <secure.headers.XFrameOptions object>, xxp: Optional[secure.headers.XXSSProtection] = <secure.headers.XXSSProtection object>, content: Optional[secure.headers.XContentTypeOptions] = <secure.headers.XContentTypeOptions object>, csp: Optional[secure.headers.ContentSecurityPolicy] = None, referrer: Optional[secure.headers.ReferrerPolicy] = <secure.headers.ReferrerPolicy object>, cache: Optional[secure.headers.CacheControl] = <secure.headers.CacheControl object>, permissions: Optional[secure.headers.PermissionsPolicy] = None, report_to: Optional[secure.headers.ReportTo] = None)¶

Bases: object

Set Secure Header options

Parameters:

server – Server header options
hsts – Strict-Transport-Security (HSTS) header options
xfo – X-Frame-Options (XFO) header options
xxp – X-XSS-Protection (XXP) header options
content – X-Content-Type-Options header options
csp – Content-Security-Policy (CSP) header options
referrer – Referrer-Policy header options
cache – Cache-control, Pragma and Expires headers options
feature – Feature-Policy header options

class Framework(secure: secure.secure.Secure)¶

Bases: object

Secure supported frameworks

aiohttp(response: Any) → None¶

Update Secure Headers to aiohttp response object.

Parameters:	response – aiohttp response object.

bottle(response: Any) → None¶

Update Secure Headers to Bottle response object.

Parameters:	response – Bottle response object (bottle.response).

cherrypy() → List[Tuple[str, str]]¶

Return tuple of Secure Headers for CherryPy (tools.response_headers.headers).

Returns:	A list with a tuple of Secure Headers.

django(response: Any) → None¶

Update Secure Headers to Django response object.

Parameters:	response – Django response object (django.http.HttpResponse)

falcon(response: Any) → None¶

Update Secure Headers to Falcon response object.

Parameters:	response – Falcon response object (falcon.Response)

fastapi(response: Any) → None¶

Update Secure Headers to FastAPI response object.

Parameters:	response – FastAPI response object.

flask(response: Any) → None¶

Update Secure Headers to Flask response object.

Parameters:	response – Flask response object (flask.Response)

hug(response: Any) → None¶

Update Secure Headers to hug response object.

Parameters:	response – hug response object

masonite(request: Any) → None¶

Update Secure Headers to Masonite request object.

Parameters:	request – Masonite request object (masonite.request.Request)

pyramid(response: Any) → None¶

Update Secure Headers to Pyramid response object.

Parameters:	response – Pyramid response object (pyramid.response).

quart(response: Any) → None¶

Update Secure Headers to Quart response object.

Parameters:	response – Quart response object (quart.wrappers.response.Response)

responder(response: Any) → None¶

Update Secure Headers to Responder response object.

Parameters:	response – Responder response object.

sanic(response: Any) → None¶

Update Secure Headers to Sanic response object.

Parameters:	response – Sanic response object (sanic.response).

starlette(response: Any) → None¶

Update Secure Headers to Starlette response object.

Parameters:	response – Starlette response object.

tornado(response: Any) → None¶

Update Secure Headers to Tornado RequestHandler object.

Parameters:	response – Tornado RequestHandler object (tornado.web.RequestHandler).

headers() → Dict[str, str]¶

Dictionary of secure headers

Returns:	dictionary containing security headers
Return type:	Dict[str, str]

headers_tuple() → List[Tuple[str, str]]¶

List of a tuple containing secure headers

Returns:	list of tuples containing security headers
Return type:	List[Tuple[str, str]]

secure package¶

Submodules¶

secure.headers module¶

secure.secure module¶

Module contents¶

secure.py

Navigation

Related Topics