Skip to main content

aiohttp additional security layer

Project description

secure-aiohttp

Library implements CSP and HSTS headers. In future CSRF token and maybe some other default security handlers will be added.

HSTS(Strict-Transport-Security)

Way for web site to tell browsers that it should only be accessed using HTTPS, instead of using HTTP. Which is usually used for connection, even if web site enables HTTPS. Helps to avoid man in the middle attack.(source) You can learn more here:

Avaliable parameters:

Parameter Defenition Default
hsts should HSTS header be added True
hsts_max_age for how long in seconds browser should redirect directly to HTTPS 31536000(one year)
hsts_inclue_subdomains should include subdomains True
hsts_preload should use preload True

CSP(Content-Security-Policy)

Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement to distribution of malware.(source) Basically it block all sources for front-end libraries/images/objects... that are not specified in whitelist to avoid downloading malicious code that can gather sensetive user data. You can learn more here:

Avaliable parameters:

Parameter Defenition Default
csp Should CSP header be added and if yes - what it should include None
csp_testing Enable CSP in report only mode, without actually blocking sources False
scp_report_uri Where browser should send CSP reports /secureaiohttp-csp-report-uri

csp parameter can be either:

  • None to avoid using CSP header at all
  • default|same-origin|google-analitycs to use predifined CSP header
  • dict with custom CSP parameters, example:

'myCSP': {
    'connect-src': 'self',
    'default-src': 'none',
    'img-src': 'self',
    'script-src': 'self',
    'style-src': 'self',
    'report-uri': '/my-csp-report-handler',
    'block-all-mixed-content': None
}


You need to pass None for parameters that require no values, like block-all-mixed-content.

Predifined CPS header variants are taken from https://content-security-policy.com/ and include:

  • default: This policy allows images, scripts, AJAX, and CSS from the same origin, and does not allow any other resources to load (eg object, frame, media, etc). It is a good starting point for many sites.
  • google-analitycs: Allow Google Analytics, Google AJAX CDN and Same Origin.
  • same-origin: Only Allow Scripts from the same origin.

Examples

You can see some simple examples in example folder.

Contribution

Any contributions are welcome! Take action in securing your users! ;)

License

secure-aiohttp is offered under the Apache 2 license.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

secure-aiohttp-0.0.24.tar.gz (4.6 kB view details)

Uploaded Source

Built Distribution

secure_aiohttp-0.0.24-py3-none-any.whl (9.7 kB view details)

Uploaded Python 3

File details

Details for the file secure-aiohttp-0.0.24.tar.gz.

File metadata

  • Download URL: secure-aiohttp-0.0.24.tar.gz
  • Upload date:
  • Size: 4.6 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.1.1 pkginfo/1.5.0.1 requests/2.21.0 setuptools/46.0.0 requests-toolbelt/0.9.1 tqdm/4.43.0 CPython/3.7.7

File hashes

Hashes for secure-aiohttp-0.0.24.tar.gz
Algorithm Hash digest
SHA256 d97360a2033a022a6594028f7463e45f4e4be8b42f801e564012269bbf1be2e6
MD5 1f5ac141421d5e7daf7484f90ec1fa18
BLAKE2b-256 f5cc17c7ee84764e9b0713e8edec77c15f32fff371067f61e8adfd88f190c747

See more details on using hashes here.

File details

Details for the file secure_aiohttp-0.0.24-py3-none-any.whl.

File metadata

  • Download URL: secure_aiohttp-0.0.24-py3-none-any.whl
  • Upload date:
  • Size: 9.7 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.1.1 pkginfo/1.5.0.1 requests/2.21.0 setuptools/46.0.0 requests-toolbelt/0.9.1 tqdm/4.43.0 CPython/3.7.7

File hashes

Hashes for secure_aiohttp-0.0.24-py3-none-any.whl
Algorithm Hash digest
SHA256 ab09964cb5621e27861f2fa9762a34dbe02bc0f6c29e6118aad10c5b9bd5a617
MD5 432c9db8e86f461a7935b949b8d5cdf6
BLAKE2b-256 c2a8882bb5dea2d4422e52e674b745f39a34d8675630600f2ac5c9c571267378

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page