SessionArmor 0.1.0

Defense-grade Django middleware: session security, audit logging, and configurable request gates with hooks.

SessionArmor

Defense-grade Django middleware: session security, audit logging, and configurable request gates with hooks.

Part of the Tunet ecosystem — alongside SwapLayer and InfraGlyph.

---

What It Does

SessionArmor provides three drop-in Django middleware classes that harden your application's session layer:

Middleware	Purpose
SessionSecurityMiddleware	Fingerprint binding, absolute/idle timeouts, claim drift detection
AuditMiddleware	Privacy-preserving security audit trail for every authenticated request
GateMiddleware	Base class for building cacheable conditional gates (compliance, onboarding, feature flags)

All three are hookable — override methods to customize behavior without touching internals.

References

• NIST SP 800-53 AC-12 (Session Termination)
• NIST SP 800-53 SC-23 (Session Authenticity)
• NIST SP 800-53 AU-3/AU-12 (Audit Content/Generation)
• OWASP Session Management Cheat Sheet

---

Installation

pip install SessionArmor

Quick Start

# settings.py
MIDDLEWARE = [
    'django.middleware.security.SecurityMiddleware',
    'django.contrib.sessions.middleware.SessionMiddleware',
    # ... your auth middleware ...
    'session_armor.session.SessionSecurityMiddleware',
    'session_armor.audit.AuditMiddleware',
    # ... rest of your middleware ...
]

# Optional settings (shown with defaults)
SESSION_ABSOLUTE_TIMEOUT = 28800      # 8 hours
SESSION_IDLE_TIMEOUT = 1800           # 30 minutes
SESSION_BIND_IP = True
SESSION_BIND_USER_AGENT = True
SESSION_DETECT_CLAIM_DRIFT = True
SESSION_ARMOR_TRUSTED_PROXY_DEPTH = 1  # Number of trusted reverse proxies

Building a Gate

from session_armor import GateMiddleware
from django.shortcuts import redirect

class ComplianceGate(GateMiddleware):
    gate_id = 'compliance'
    cache_ttl_setting = 'COMPLIANCE_CACHE_TTL'
    default_cache_ttl = 3600
    fail_open = False  # Block access if check fails

    def check(self, request) -> bool:
        return user_accepted_current_terms(request)

    def on_reject(self, request):
        return redirect('/accept-terms/')

Customizing Session Security

from session_armor import SessionSecurityMiddleware

class MySessionSecurity(SessionSecurityMiddleware):
    exempt_paths = ('/health/', '/static/')

    def get_critical_claims(self, user):
        # Auth0 / OIDC claims that must not change mid-session
        return [user.sub, user.organization_uuid, user.platform]

    def get_login_url(self, request):
        platform = getattr(request.user, 'platform', '')
        return f'/{platform}/login/' if platform else '/login/'

Customizing Audit Logging

from session_armor import AuditMiddleware

class MyAudit(AuditMiddleware):
    exempt_paths = ('/health/', '/static/', '/favicon.ico')

    def get_user_identity(self, request):
        return {
            'uid': request.user.sub,
            'platform': request.user.platform,
            'org': request.user.organization_uuid,
        }

---

Development

# Clone and install
git clone https://github.com/Tunet-xyz/session_armor.git
cd session_armor
pip install -e ".[dev]"

# Run tests
pytest

# Lint
ruff check src/session_armor tests

# Type check
mypy src/session_armor

License

MIT — see LICENSE.