A small library that adds optional security headers and cookie presets for Responder
Project description
Secure
Secure 🔒 is a small library that adds optional security headers and cookie attributes for Responder.
Install
pipenv install secure
Headers
Strict-Transport-Security (HSTS)
Ensure application is loaded over HTTPS
Value: max-age=63072000; includeSubdomains
X-Frame-Options
Disable iframes (Clickjacking protection)
Value: DENY
X-XSS-Protection
Enable Cross-Site Scripting filters
Value: X-XSS-Protection", "1; mode=block
X-Content-Type-Options
Prevent MIME-sniffing
Value: nosniff
Content-Security-Policy (CSP)
Prevent Cross-site injections
Value: script-src 'self'; object-src 'self'
Referrer-Policy
Enable full referrer if same origin, remove path for cross origin and disable referrer in unsupported browsers
Value: no-referrer, strict-origin-when-cross-origin
Cache-control / Pragma
Prevent cacheable HTTPS response
Value: no-cache, no-store / no-cache
Recommendations used by Secure 🔒 and more information regarding security headers can be found at the OWASP Secure Headers Project.
Cookies
Path
The Path directive instructs the browser to only send the cookie if provided path exists in the URL.
Secure
The Secure flag instructs the browser to only send the cookie via HTTPS.
HttpOnly
The HttpOnly flag instructs the browser to not allow any client side code to access the cookie's contents.
SameSite
The SameSite flag directs the browser not to include cookies on certain cross-site requests. There are two values that can be set for the same-site attribute, lax or strict. The lax value allows the cookie to be sent via certain cross-site GET requests, but disallows the cookie on all POST requests. For example cookies are still sent on links <a href=“x”>, prerendering <link rel=“prerender” href=“x” and forms sent by GET requests <form-method=“get”..., but cookies will not be sent via POST requests <form-method=“post”..., images <img src=“x”> or iframes <iframe src=“x”>. The strict value prevents the cookie from being sent cross-site in any context. Strict offers greater security but may impede functionality. This approach makes authenticated CSRF attacks impossible with the strict flag and only possible via state changing GET requests with the lax flag.
Expires
The Expires attribute sets an expiration date for persistent cookies.
Responder Headers
Usage
import responder
import secure
api = responder.API()
...
@api.route(before_request=True)
def prepare_response(req, resp):
secure.responder_headers(req, resp)
HTTP response headers:
x-frame-options: DENY
x-xss-protection: 1; mode=block
x-content-type-options: nosniff
referrer-policy: no-referrer, strict-origin-when-cross-origin
Options
Example:
secure.responder_headers(req, resp, csp=True)
hsts- (default=False) *frame- (default=True)xss- (default=True)content- (default=True)csp- (default=False) *referrer- (default=True)cache- (default=False)
You should use Responder's built in HSTS option and the CSP headers should be carefully constructed, however you can use the defaults by including the hsts=True and/or csp=True options.
Responder Cookies
Usage
import responder
import secure
api = responder.API()
...
@api.route("/secure")
async def greet_world(req, resp):
resp.text = "Secure"
secure.responder_cookies(req, resp, name="responder", value="ABC123", expires=1)
Set-Cookie HTTP response header:
set-cookie: responder=ABC123; Path=/; Secure; HttpOnly; SameSite=Lax; Expires=Tue, 27 Nov 2018 11:38:56 GMT;
Options
Example:
secure.responder_cookies(req,resp, name="responder-cookie", value="ABC123", secure=False)
path-(default="/")secure- (default=True)httponly- (default=True)samesite- options:laxorstrict(default="lax")expires- cookie expiration in hours (default=False)
Attribution/References
- Responder: A familiar HTTP Service Framework
- kennethreitz/setup.py: 📦 A Human’s Ultimate Guide to setup.py.
- OWASP - Application Security FAQ - Browser Cache
- OWASP - HttpOnly
- OWASP - SameSite
- OWASP - Secure Headers Project
- OWASP - SecureFlag
- OWASP - Session Management Cheat Sheet
- Mozilla Web Security
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file secure-0.1.2.tar.gz.
File metadata
- Download URL: secure-0.1.2.tar.gz
- Upload date:
- Size: 6.4 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/1.12.1 pkginfo/1.4.2 requests/2.20.1 setuptools/40.5.0 requests-toolbelt/0.8.0 tqdm/4.28.1 CPython/3.7.1
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
b1ce00abd69d1f17a026481b191468d67b6cfcf2721b5333268a2253be2f5f9a
|
|
| MD5 |
bf5cfb4db3e221c0e39aa4fbe4712ab1
|
|
| BLAKE2b-256 |
141ae832c290cb8b9da154871578c8727d1a1cb78b47dd3bc32361b8a9d22ce9
|
File details
Details for the file secure-0.1.2-py2-none-any.whl.
File metadata
- Download URL: secure-0.1.2-py2-none-any.whl
- Upload date:
- Size: 5.0 kB
- Tags: Python 2
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/1.12.1 pkginfo/1.4.2 requests/2.20.1 setuptools/40.5.0 requests-toolbelt/0.8.0 tqdm/4.28.1 CPython/3.7.1
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
6d3d812429fb0c72a137348d5ca56ec674a69d9a1095c6968fa6368cca72b9d7
|
|
| MD5 |
aef3a9dfb86a9ec120c2716972976032
|
|
| BLAKE2b-256 |
8ad387ed694df0687d29971c98d9b4a55d6a9195b96c07280721eaf5fd22c224
|
