secure package¶
Submodules¶
secure.headers module¶
-
class
secure.headers.
CacheControl
¶ Bases:
object
Prevent cacheable HTTPS response
Resources: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control
-
immutable
() → secure.headers.CacheControl¶
-
max_age
(seconds: int) → secure.headers.CacheControl¶
-
max_stale
(seconds: int) → secure.headers.CacheControl¶
-
min_fresh
(seconds: int) → secure.headers.CacheControl¶
-
must_revalidate
() → secure.headers.CacheControl¶
-
no_cache
() → secure.headers.CacheControl¶
-
no_store
() → secure.headers.CacheControl¶
-
no_transform
() → secure.headers.CacheControl¶
-
only_if_cached
() → secure.headers.CacheControl¶
-
private
() → secure.headers.CacheControl¶
-
proxy_revalidate
() → secure.headers.CacheControl¶
-
public
() → secure.headers.CacheControl¶
-
s_maxage
(seconds: int) → secure.headers.CacheControl¶
-
set
(value: str) → secure.headers.CacheControl¶ Set custom value for Cache-control header
Parameters: value (str) – custom header value Returns: CacheControl class Return type: CacheControl
-
stale_if_error
(seconds: int) → secure.headers.CacheControl¶
-
stale_while_revalidate
(seconds: int) → secure.headers.CacheControl¶
-
-
class
secure.headers.
ContentSecurityPolicy
¶ Bases:
object
Prevent Cross-site injections
Resources: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy https://developers.google.com/web/fundamentals/security/csp
-
base_uri
(*sources) → secure.headers.ContentSecurityPolicy¶ Sets valid origins for <base>
Resources: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/base-uri
Parameters: sources (str) – variable number of sources Returns: ContentSecurityPolicy class Return type: ContentSecurityPolicy
-
child_src
(*sources) → secure.headers.ContentSecurityPolicy¶ Sets valid origins for web workers
Resources: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/child-src
Parameters: sources (str) – variable number of sources Returns: ContentSecurityPolicy class Return type: ContentSecurityPolicy
-
connect_src
(*sources) → secure.headers.ContentSecurityPolicy¶ Sets valid origins for script interfaces
Resources: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/connect-src
Parameters: sources (str) – variable number of sources Returns: ContentSecurityPolicy class Return type: ContentSecurityPolicy
-
custom_directive
(directive: str, *sources) → secure.headers.ContentSecurityPolicy¶ Set custom directive and sources
Parameters: - directive (str) – custom directive
- sources (str) – variable number of sources
Returns: ContentSecurityPolicy class
Return type:
-
default_src
(*sources) → secure.headers.ContentSecurityPolicy¶ Sets fallback valid orgins for other directives
Resouces: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/default-src
Parameters: sources (str) – variable number of sources Returns: ContentSecurityPolicy class Return type: ContentSecurityPolicy
-
font_src
(*sources) → secure.headers.ContentSecurityPolicy¶ Set valid origins for @font-face
Resouces: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/font-src
Parameters: sources (str) – variable number of sources Returns: ContentSecurityPolicy class Return type: ContentSecurityPolicy
-
form_action
(*sources) → secure.headers.ContentSecurityPolicy¶ Set valid origins for form submissions
Resouces: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/form-action
Parameters: sources (str) – variable number of sources Returns: ContentSecurityPolicy class Return type: ContentSecurityPolicy
-
frame_ancestors
(*sources) → secure.headers.ContentSecurityPolicy¶ Set valid origins that can embed the resource
Resouces: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors
Parameters: sources (str) – variable number of sources Returns: ContentSecurityPolicy class Return type: ContentSecurityPolicy
-
frame_src
(*sources) → secure.headers.ContentSecurityPolicy¶ Set valid origins for frames
Resouces: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-src
Parameters: sources (str) – variable number of sources Returns: ContentSecurityPolicy class Return type: ContentSecurityPolicy
-
img_src
(*sources) → secure.headers.ContentSecurityPolicy¶ Set valid origins for images
Resouces: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/img-src
Parameters: sources (str) – variable number of sources Returns: ContentSecurityPolicy class Return type: ContentSecurityPolicy
-
manifest_src
(*sources) → secure.headers.ContentSecurityPolicy¶ Set valid origins for manifest files
Resouces: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/manifest-src
Parameters: sources (str) – variable number of sources Returns: ContentSecurityPolicy class Return type: ContentSecurityPolicy
-
media_src
(*sources) → secure.headers.ContentSecurityPolicy¶ Set valid origins for media
Resouces: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/media-src
Parameters: sources (str) – variable number of sources Returns: ContentSecurityPolicy class Return type: ContentSecurityPolicy
-
static
nonce
(value: str) → str¶ Creates a nonce format
Parameters: value (str) – nounce value Returns: ContentSecurityPolicy class Return type: ContentSecurityPolicy
-
object_src
(*sources) → secure.headers.ContentSecurityPolicy¶ Set valid origins for plugins
Resouces: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/object-src
Parameters: sources (str) – variable number of sources Returns: ContentSecurityPolicy class Return type: ContentSecurityPolicy
-
prefetch_src
(*sources) → secure.headers.ContentSecurityPolicy¶ Set valid resources that may prefetched or prerendered
Resouces: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/prefetch-src
Parameters: sources (str) – variable number of sources Returns: ContentSecurityPolicy class Return type: ContentSecurityPolicy
-
report_only
() → None¶ Set Content-Security-Policy header to Content-Security-Policy-Report-Only
-
report_to
(report_to: secure.headers.ReportTo) → secure.headers.ContentSecurityPolicy¶ Configure reporting endpoints
Resouces: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-to
Parameters: report_to (ReportTo) – ReportTo class Returns: ContentSecurityPolicy class Return type: ContentSecurityPolicy
-
report_uri
(*values) → secure.headers.ContentSecurityPolicy¶ Configure reporting endpoints in an older format
Deprecated This header has been deprecated in favor of report-to. However, as it is not yet supported in most browsers, it is recommended to set both headers. Browsers that support report-to will ignore report-uri if both headers are set.
Resouces: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-uri
Parameters: values (str) – variable number of URIs Returns: ContentSecurityPolicy class Return type: ContentSecurityPolicy
-
sandbox
(*values) → secure.headers.ContentSecurityPolicy¶ Enables sandbox restrictions
Resouces: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/sandbox
Parameters: values (str) – variable number of types Returns: ContentSecurityPolicy class Return type: ContentSecurityPolicy
-
script_src
(*sources) → secure.headers.ContentSecurityPolicy¶ Set valid origins for JavaScript
Resouces: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src
Parameters: sources (str) – variable number of types Returns: ContentSecurityPolicy class Return type: ContentSecurityPolicy
-
set
(value: str) → secure.headers.ContentSecurityPolicy¶ Set custom value for Content-Security-Policy header
Parameters: value (str) – custom header value Returns: ContentSecurityPolicy class Return type: ContentSecurityPolicy
-
style_src
(*sources) → secure.headers.ContentSecurityPolicy¶ Set valid origins for styles
Resouces: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src
Parameters: sources (str) – variable number of types Returns: ContentSecurityPolicy class Return type: ContentSecurityPolicy
-
upgrade_insecure_requests
() → secure.headers.ContentSecurityPolicy¶ Upgrade HTTP URLs to HTTPS
Returns: ContentSecurityPolicy class Return type: ContentSecurityPolicy
-
worker_src
(*sources) → secure.headers.ContentSecurityPolicy¶ Set valid origins for worker scripts
Resouces: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/worker-src
Parameters: sources (str) – variable number of types Returns: ContentSecurityPolicy class Return type: ContentSecurityPolicy
-
-
class
secure.headers.
PermissionsPolicy
¶ Bases:
object
Disable browser features and APIs
Replaces the Feature-Policy header
Resources: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy https://github.com/w3c/webappsec-permissions-policy/blob/main/permissions-policy-explainer.md
-
accelerometer
(*allowlist) → secure.headers.PermissionsPolicy¶
-
ambient_light_sensor
(*allowlist) → secure.headers.PermissionsPolicy¶
-
autoplay
(*allowlist) → secure.headers.PermissionsPolicy¶
-
battery
(*allowlist) → secure.headers.PermissionsPolicy¶
-
camera
(*allowlist) → secure.headers.PermissionsPolicy¶
-
clipboard_read
(*allowlist) → secure.headers.PermissionsPolicy¶
-
clipboard_write
(*allowlist) → secure.headers.PermissionsPolicy¶
-
cross_origin_isolated
(*allowlist) → secure.headers.PermissionsPolicy¶
-
display_capture
(*allowlist) → secure.headers.PermissionsPolicy¶
-
document_domain
(*allowlist) → secure.headers.PermissionsPolicy¶
-
encrypted_media
(*allowlist) → secure.headers.PermissionsPolicy¶
-
execution_while_not_rendered
(*allowlist) → secure.headers.PermissionsPolicy¶
-
execution_while_out_of_viewport
(*allowlist) → secure.headers.PermissionsPolicy¶
-
fullscreen
(*allowlist) → secure.headers.PermissionsPolicy¶
-
gamepad
(*allowlist) → secure.headers.PermissionsPolicy¶
-
geolocation
(*allowlist) → secure.headers.PermissionsPolicy¶
-
gyroscope
(*allowlist) → secure.headers.PermissionsPolicy¶
-
magnetometer
(*allowlist) → secure.headers.PermissionsPolicy¶
-
microphone
(*allowlist) → secure.headers.PermissionsPolicy¶
-
midi
(*allowlist) → secure.headers.PermissionsPolicy¶
-
payment
(*allowlist) → secure.headers.PermissionsPolicy¶
-
picture_in_picture
(*allowlist) → secure.headers.PermissionsPolicy¶
-
publickey_credentials_get
(*allowlist) → secure.headers.PermissionsPolicy¶
-
screen_wake_lock
(*allowlist) → secure.headers.PermissionsPolicy¶
-
set
(value: str) → secure.headers.PermissionsPolicy¶
-
speaker
(*allowlist) → secure.headers.PermissionsPolicy¶
-
speaker_selection
(*allowlist) → secure.headers.PermissionsPolicy¶
-
sync_xhr
(*allowlist) → secure.headers.PermissionsPolicy¶
-
usb
(*allowlist) → secure.headers.PermissionsPolicy¶
-
vibrate
(*allowlist) → secure.headers.PermissionsPolicy¶
-
vr
(*allowlist) → secure.headers.PermissionsPolicy¶
-
xr_spatial_tracking
(*allowlist) → secure.headers.PermissionsPolicy¶
-
-
class
secure.headers.
ReferrerPolicy
¶ Bases:
object
Enable full referrer if same origin, remove path for cross origin and disable referrer in unsupported browsers
Resources: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy https://owasp.org/www-project-secure-headers/#referrer-policy
-
no_referrer
() → secure.headers.ReferrerPolicy¶ The Referer header will not be sent
Returns: ReferrerPolicy class Return type: ReferrerPolicy
-
no_referrer_when_downgrade
() → secure.headers.ReferrerPolicy¶ The Referer header will not be sent if HTTPS -> HTTP
Returns: ReferrerPolicy class Return type: ReferrerPolicy
-
origin
() → secure.headers.ReferrerPolicy¶ The Referer header will contain only the origin
Returns: ReferrerPolicy class Return type: ReferrerPolicy
-
origin_when_cross_origin
() → secure.headers.ReferrerPolicy¶ The Referer header will contain the full URL but only the origin if cross-origin
Returns: ReferrerPolicy class Return type: ReferrerPolicy
-
same_origin
() → secure.headers.ReferrerPolicy¶ The Referer header will be sent with the full URL if same-origin
Returns: ReferrerPolicy class Return type: ReferrerPolicy
-
set
(value: str) → secure.headers.ReferrerPolicy¶ Set custom value for Referrer-Policy header
Parameters: value (str) – custom header value Returns: ReferrerPolicy class Return type: ReferrerPolicy
-
strict_origin
() → secure.headers.ReferrerPolicy¶ The Referer header will be sent only for same-origin
Returns: ReferrerPolicy class Return type: ReferrerPolicy
-
strict_origin_when_cross_origin
() → secure.headers.ReferrerPolicy¶ The Referer header will only contain the origin if HTTPS -> HTTP
Returns: ReferrerPolicy class Return type: ReferrerPolicy
-
unsafe_url
() → secure.headers.ReferrerPolicy¶ The Referer header will contain the full URL
Returns: ReferrerPolicy class Return type: ReferrerPolicy
-
-
class
secure.headers.
ReportTo
(max_age: int, include_subdomains: bool = False, group: Optional[str] = None, *endpoints)¶ Bases:
object
Configure reporting endpoints
Resources: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-to https://developers.google.com/web/updates/2018/09/reportingapi
Parameters: - max_age (int) – endpoint TIL in seconds
- include_subdomains (bool, optional) – enable for subdomains, defaults to False
- group (Optional[str], optional) – endpoint name, defaults to None
- endpoints (List[Dict[str, Union[str, int]]]) – variable number of endpoints
-
class
secure.headers.
Server
¶ Bases:
object
Replace server header
-
class
secure.headers.
StrictTransportSecurity
¶ Bases:
object
Ensure application communication is sent over HTTPS
Resources: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security https://owasp.org/www-project-secure-headers/#http-strict-transport-security
-
include_subdomains
() → secure.headers.StrictTransportSecurity¶ Include subdomains to HSTS policy [Optional]
Returns: [description] Return type: [type]
-
max_age
(seconds: int) → secure.headers.StrictTransportSecurity¶ Instruct the browser to remember HTTPS preference until time (seconds) expires.
Parameters: seconds (str) – time in seconds Returns: StrictTransportSecurity class Return type: StrictTransportSecurity
-
preload
() → secure.headers.StrictTransportSecurity¶ Instruct browser to always use HTTPS [Optional]
Please see: https://hstspreload.org
Returns: StrictTransportSecurity class Return type: StrictTransportSecurity
-
set
(value: str) → secure.headers.StrictTransportSecurity¶ Set custom value for Strict-Transport-Security header
Parameters: value (str) – custom header value Returns: StrictTransportSecurity class Return type: StrictTransportSecurity
-
-
class
secure.headers.
XContentTypeOptions
¶ Bases:
object
Prevent MIME-sniffing
Resources: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options https://owasp.org/www-project-secure-headers/#x-content-type-options
-
set
(value: str) → secure.headers.XContentTypeOptions¶ Set custom value for X-Content-Type-Options header
Parameters: value (str) – custom header value Returns: XContentTypeOptions class Return type: XContentTypeOptions
-
-
class
secure.headers.
XFrameOptions
¶ Bases:
object
Disable framing from different origins (clickjacking defense)
Resources: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
-
deny
() → secure.headers.XFrameOptions¶ Disable rending site in a frame
Returns: XFrameOptions class Return type: XFrameOptions
-
sameorigin
() → secure.headers.XFrameOptions¶ Disable rending site in a frame if not same origin
Returns: XFrameOptions class Return type: XFrameOptions
-
set
(value: str) → secure.headers.XFrameOptions¶ Set custom value for X-Frame-Options header
Parameters: value (str) – custom header value Returns: XFrameOptions class Return type: XFrameOptions
-
-
class
secure.headers.
XXSSProtection
¶ Bases:
object
Enable browser Cross-Site Scripting filters
Deprecated
Recommended to utilize Content-Security-Policy instead of the legacy X-XSS-Protection header.
Resources: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection https://owasp.org/www-project-secure-headers/#x-xss-protection
-
set
(value: str) → secure.headers.XXSSProtection¶ Set custom value for X-XSS-Protection header
Parameters: value (str) – custom header value Returns: XXSSProtection class Return type: XXSSProtection
-
secure.secure module¶
-
class
secure.secure.
Secure
(server: Optional[secure.headers.Server] = None, hsts: Optional[secure.headers.StrictTransportSecurity] = <secure.headers.StrictTransportSecurity object>, xfo: Optional[secure.headers.XFrameOptions] = <secure.headers.XFrameOptions object>, xxp: Optional[secure.headers.XXSSProtection] = <secure.headers.XXSSProtection object>, content: Optional[secure.headers.XContentTypeOptions] = <secure.headers.XContentTypeOptions object>, csp: Optional[secure.headers.ContentSecurityPolicy] = None, referrer: Optional[secure.headers.ReferrerPolicy] = <secure.headers.ReferrerPolicy object>, cache: Optional[secure.headers.CacheControl] = <secure.headers.CacheControl object>, permissions: Optional[secure.headers.PermissionsPolicy] = None, report_to: Optional[secure.headers.ReportTo] = None)¶ Bases:
object
Set Secure Header options
Parameters: - server – Server header options
- hsts – Strict-Transport-Security (HSTS) header options
- xfo – X-Frame-Options (XFO) header options
- xxp – X-XSS-Protection (XXP) header options
- content – X-Content-Type-Options header options
- csp – Content-Security-Policy (CSP) header options
- referrer – Referrer-Policy header options
- cache – Cache-control, Pragma and Expires headers options
- feature – Feature-Policy header options
-
class
Framework
(secure: secure.secure.Secure)¶ Bases:
object
Secure supported frameworks
-
aiohttp
(response: Any) → None¶ Update Secure Headers to aiohttp response object.
Parameters: response – aiohttp response object.
-
bottle
(response: Any) → None¶ Update Secure Headers to Bottle response object.
Parameters: response – Bottle response object (bottle.response).
-
cherrypy
() → List[Tuple[str, str]]¶ Return tuple of Secure Headers for CherryPy (tools.response_headers.headers).
Returns: A list with a tuple of Secure Headers.
-
django
(response: Any) → None¶ Update Secure Headers to Django response object.
Parameters: response – Django response object (django.http.HttpResponse)
-
falcon
(response: Any) → None¶ Update Secure Headers to Falcon response object.
Parameters: response – Falcon response object (falcon.Response)
-
fastapi
(response: Any) → None¶ Update Secure Headers to FastAPI response object.
Parameters: response – FastAPI response object.
-
flask
(response: Any) → None¶ Update Secure Headers to Flask response object.
Parameters: response – Flask response object (flask.Response)
-
hug
(response: Any) → None¶ Update Secure Headers to hug response object.
Parameters: response – hug response object
-
masonite
(request: Any) → None¶ Update Secure Headers to Masonite request object.
Parameters: request – Masonite request object (masonite.request.Request)
-
pyramid
(response: Any) → None¶ Update Secure Headers to Pyramid response object.
Parameters: response – Pyramid response object (pyramid.response).
-
quart
(response: Any) → None¶ Update Secure Headers to Quart response object.
Parameters: response – Quart response object (quart.wrappers.response.Response)
-
responder
(response: Any) → None¶ Update Secure Headers to Responder response object.
Parameters: response – Responder response object.
-
sanic
(response: Any) → None¶ Update Secure Headers to Sanic response object.
Parameters: response – Sanic response object (sanic.response).
-
starlette
(response: Any) → None¶ Update Secure Headers to Starlette response object.
Parameters: response – Starlette response object.
-
tornado
(response: Any) → None¶ Update Secure Headers to Tornado RequestHandler object.
Parameters: response – Tornado RequestHandler object (tornado.web.RequestHandler).
-
-
headers
() → Dict[str, str]¶ Dictionary of secure headers
Returns: dictionary containing security headers Return type: Dict[str, str]
-
headers_tuple
() → List[Tuple[str, str]]¶ List of a tuple containing secure headers
Returns: list of tuples containing security headers Return type: List[Tuple[str, str]]