Repository files navigation

A simple, yet powerful way to secure your Python web applications across multiple frameworks.

In today's web landscape, security is paramount.secure.py is a lightweight Python library designed to effortlessly addsecurity headers to your web applications, protecting them from common vulnerabilities. Whether you're usingDjango,Flask,FastAPI, or any other popular framework,secure.py provides a unified API to enhance your application's security posture.

• 🔒Apply Essential Security Headers: Implement headers like CSP, HSTS, and more with minimal effort.
• 🛠️Consistent API Across Frameworks: A unified approach for different web frameworks.
• ⚙️Customizable with Secure Defaults: Start secure out-of-the-box and customize as needed.
• 🚀Easy Integration: Compatible with Python's most-used frameworks.
• 🐍Modern Pythonic Design: Leverages Python 3.10+ features for cleaner and more efficient code.

secure.py supports the following Python web frameworks:

• 🔒Secure Headers: Automatically apply headers likeStrict-Transport-Security,X-Frame-Options, and more.
• 🛠️Customizable Policies: Flexibly build your own security policies using method chaining.
• 🌐Framework Integration: Compatible with various frameworks, ensuring cross-compatibility.
• 🚀No External Dependencies: Lightweight and easy to include in any project.
• 🧩Easy to Use: Integrate security headers in just a few lines of code.
• ⚡Asynchronous Support: Async support for modern frameworks likeFastAPI andStarlette.
• 📝Enhanced Type Hinting: Complete type annotations for better developer experience.
• 📚Attribution to Trusted Sources: Implements recommendations from MDN and OWASP.

• Python 3.10 or higher

  This library leverages modern Python features introduced in Python 3.10 and 3.11, such as:

  • Union Type Operator (|): Simplifies type annotations.
  • Structural Pattern Matching (match statement): Enhances control flow.
  • Improved Type Hinting and Annotations: Provides better code clarity and maintenance.
  • cached_property: Optimize memory usage and performance.

  Note: If you're using an older version of Python (3.6 to 3.9), please use version0.3.0 of this library, which maintains compatibility with those versions.

• Dependencies

  This library has no external dependencies outside of the Python Standard Library.

You can install secure.py using pip, pipenv, or poetry:

pip:

pip install secure

Pipenv:

pipenv install secure

Poetry:

poetry add secure

Once installed, you can quickly integratesecure.py into your project:

importsecure# Initialize secure headers with default settingssecure_headers=secure.Secure.with_default_headers()# Apply the headers to your framework response objectsecure_headers.set_headers(response)

For frameworks likeFastAPI andStarlette that support asynchronous operations, use the async method:

importsecure# Initialize secure headers with default settingssecure_headers=secure.Secure.with_default_headers()# Apply the headers asynchronously to your framework response objectawaitsecure_headers.set_headers_async(response)

importsecure# Create a Secure instance with default headerssecure_headers=secure.Secure.with_default_headers()# Apply default secure headers to a response objectsecure_headers.set_headers(response)

By default,secure.py applies the following headers when usingwith_default_headers():

Cache-Control: no-storeCross-Origin-Opener-Policy: same-originContent-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self'; object-src 'none'Strict-Transport-Security: max-age=31536000Permissions-Policy: geolocation=(), microphone=(), camera=()Referrer-Policy: strict-origin-when-cross-originServer:X-Content-Type-Options: nosniff

secure.py allows you to customize headers such asContent-Security-Policy andPermissions-Policy with ease:

importsecure# Build a custom CSP policycsp= (secure.ContentSecurityPolicy()    .default_src("'self'")    .script_src("'self'","cdn.example.com")    .style_src("'unsafe-inline'")    .img_src("'self'","images.example.com")    .connect_src("'self'","api.example.com"))# Apply it to secure headerssecure_headers=secure.Secure(csp=csp)

Resulting HTTP headers:

Content-Security-Policy: default-src 'self'; script-src 'self' cdn.example.com; style-src 'unsafe-inline'; img-src 'self' images.example.com; connect-src 'self' api.example.com

importsecure# Build a custom Permissions Policypermissions= (secure.PermissionsPolicy()    .geolocation("'self'")    .camera("'none'")    .microphone("'none'"))# Apply it to secure headerssecure_headers=secure.Secure(permissions=permissions)

Resulting HTTP headers:

Permissions-Policy: geolocation=('self'), camera=('none'), microphone=('none')

fromfastapiimportFastAPIfromsecureimportSecureapp=FastAPI()secure_headers=Secure.with_default_headers()@app.middleware("http")asyncdefadd_security_headers(request,call_next):response=awaitcall_next(request)awaitsecure_headers.set_headers_async(response)returnresponse@app.get("/")defread_root():return {"Hello":"World"}

fromflaskimportFlask,ResponsefromsecureimportSecureapp=Flask(__name__)secure_headers=Secure.with_default_headers()@app.after_requestdefadd_security_headers(response:Response):secure_headers.set_headers(response)returnresponse@app.route("/")defhome():return"Hello, world"if__name__=="__main__":app.run()

For more details, including advanced configurations and integration examples, please visit thefull documentation.

This library implements security recommendations from trusted sources:

• MDN Web Docs (licensed underCC-BY-SA 2.5)
• OWASP Secure Headers Project (licensed underCC-BY-SA 4.0)

We have included attribution comments in the source code where appropriate.

• OWASP - Secure Headers Project
• Mozilla Web Security Guidelines
• MDN Web Docs: Security Headers
• web.dev: Security Best Practices
• The World Wide Web Consortium (W3C)

This project is licensed under the terms of theMIT License.

Contributions are welcome! If you'd like to contribute tosecure.py, please feel free to open an issue or submit a pull request onGitHub.

For a detailed list of changes, please refer to theCHANGELOG.

We would like to thank the contributors of MDN Web Docs and OWASP Secure Headers Project for their invaluable resources and guidelines that help make the web a safer place.