Secweb is a pack of security middlewares for fastApi and starlette servers it includes CSP, HSTS, and many more

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for tmotagam from gravatar.com tmotagam

Unverified details

These details have not been verified by PyPI
Meta
Classifiers
Report project as malware

Project description

Secweb logo

Secweb helps in setting security headers for FastApi and Starlette

Secweb is the pack of middlewares for setting security headers for fastapi and can also be used for any framework created on starlette it has 16 middlewares for setting headers of your websites/APIs.

Features

  • 🔒 Secure Headers: Automatically apply headers like Strict-Transport-Security, Content-Security-Policy, and more.

  • 🛠️ Customizable Policies: Flexibly build your own security policies.

  • 🚀 No External Dependencies: Lightweight and easy to include in any project that uses FastAPI and Starlette.

  • 🧩 Easy to Use: Integrate security headers in just a few lines of code.

  • 📚 Attribution to Trusted Sources: Implements recommendations from MDN and OWASP.

The PermissionsPolicy middleware lies in development branch here

The list of middleware is as follows:

  1. Content Security Policy (CSP)

  1. Origin Agent Cluster

  1. Referrer Policy

  1. HTTP Strict Transport Security(HSTS)

  1. HTTP Strict Transport Security(HSTS) for WebSockets

  1. X-Content-Type-Options

  1. X-DNS-Prefetch-Control

  1. X-Download-Options

  1. X-Frame

  1. X-Permitted-Cross-Domain-Policies

  1. X-XSS-Protection

  1. Cross-Origin-Embedder-Policy

  1. Cross-Origin-Opener-Policy

  1. Cross-Origin-Resource-Policy

  1. Clear-Site-Data

  1. Cache-Control

Requirements

Installation

pip install Secweb

Usage

The package Secweb can be used in two different ways:

  1. Use the SecWeb class - it includes all the 16 classes together

  1. Use the 16 middleware classes separately

SecWeb class

from Secweb import SecWeb

SecWeb(app=app) # The app is the ASGIapp required by the Starlette/FastApi to give access to the different methods to the class

The above example uses all the default headers value that are preset. You can change the values by creating the option dict.

You can also set flags for nonce generation for csp header using the script_nonce=True and style_nonce=True flags. The report_only flag is added for csp report only header. For Clear-Site-Data header Routes=[] array is used for applying the header, it is empty by default.

from Secweb import SecWeb

SecWeb(app=app, Option={'referrer': ['no-referrer']}, Routes=[], script_nonce=False, style_nonce=False, report_only=False)

The Option-parameter uses 16 keys for calling middleware classes to set the user-defined policies or deactivating headers.

Note: Deactivating the header(s) can only be done in SecWeb class in Option param

from Secweb import SecWeb

Secweb(app=app, Option={'referrer': False, 'xframe': False})

The values are as follows:

  1. 'csp' for calling ContentSecurityPolicy class to set the user-defined values or deactivate the header

  1. 'referrer' for calling ReferrerPolicy class to set the user-defined values or deactivate the header

  1. 'xdns' for calling XDNSPrefetchControl class to set the user-defined values or deactivate the header

  1. 'xcdp' for calling XPermittedCrossDomainPolicies class to set the user-defined values or deactivate the header

  1. 'hsts' for calling HSTS class to set the user-defined values or deactivate the header

  1. 'wshsts' for calling WsHSTS class to set the user-defined values for Websockets or deactivate the header

  1. 'xframe' for calling XFrame class to set the user-defined values or deactivate the header

  1. 'coep' for calling CrossOriginEmbedderPolicy class to set the user-defined values or deactivate the header

  1. 'coop' for calling CrossOriginOpenerPolicy class to set the user-defined values or deactivate the header

  1. 'corp' for calling CrossOriginResourcePolicy class to set the user-defined values or deactivate the header

  1. 'clearSiteData' for calling ClearSiteData class to set the user-defined values or deactivate the header

  1. 'cacheControl' for calling CacheControl class to set the user-defined values or deactivate the header

  1. 'xcto' for deactivating X-Content-Type-Options header

  1. 'xdo' for deactivating X-Download-Options header

  1. 'xss' for deactivating x-xss-protection header

  1. 'oac' for deactivating Origin-Agent-Cluster header
# Example of all values

SecWeb(app=app, Option={'csp': {'default-src': ["'self'"]}, 'xframe':'SAMEORIGIN', 'hsts': {'max-age': 4, 'preload': True}, 'wshsts': {'max-age': 10, 'preload': True},'xcdp': 'all', 'xdns': 'on', 'referrer': ['no-referrer'], 'coep':'require-corp', 'coop':'same-origin-allow-popups', 'corp': 'same-site', 'clearSiteData': {'cache': True, 'storage': True}, 'cacheControl': {'public': True, 's-maxage': 600}, 'xss': False}, Routes=['/login/{id}', '/logout/{id:uuid}/username/{username:string}'])

Middleware Classes

Content Security Policy (CSP)

Nonce Processor

The Nonce_Processor module generates nonce for csp header

    # Some code
    nonce = Nonce_Processor(DEFAULT_ENTROPY=90) # inject the nonce variable into the jinja or html
    # Some more code

DEFAULT_ENTROPY is used to set the nonce length.

The nonce processor needs to be called on the route the following example is of FastApi calling the nonce processor on the route

from fastapi import FastAPI
from Secweb.ContentSecurityPolicy import Nonce_Processor

app = FastAPI()

@app.get("/")
async def root():
    # some code
    nonce = Nonce_Processor(DEFAULT_ENTROPY=90) # inject the nonce variable into the jinja or html
    # some more code

ContentSecurityPolicy class sets the csp header.

For FastApi server

from fastapi import FastAPI
from Secweb.ContentSecurityPolicy import ContentSecurityPolicy

app = FastAPI()  

app.add_middleware(ContentSecurityPolicy, Option={'default-src': ["'self'"], 'base-uri': ["'self'"], 'block-all-mixed-content': []}, script_nonce=False, style_nonce=False, report_only=False)

For Starlette server

from starlette.applications import Starlette
from Secweb.ContentSecurityPolicy import ContentSecurityPolicy

routes=[...]

app = Starlette(routes=routes)

app.add_middleware(ContentSecurityPolicy, Option={'default-src': ["'self'"], 'base-uri': ["'self'"], 'block-all-mixed-content': []}, script_nonce=False, style_nonce=False, report_only=False)
  • script_nonce=False: nonce flag for inline Javascript
  • style_nonce=False: nonce flag for inline css
  • report_only=False: report only flag which makes csp report only header

For more detail on CSP header go to MDN Docs.

For more detail on CSP-report-only header go to MDN Docs.

Origin Agent Cluster

OriginAgentCluster class sets the Origin-Agent-Cluster header. It takes no parameters.

For FastApi server

from fastapi import FastAPI
from Secweb.OriginAgentCluster import OriginAgentCluster

app = FastAPI()
app.add_middleware(OriginAgentCluster)

For Starlette server

from starlette.applications import Starlette
from Secweb.OriginAgentCluster import OriginAgentCluster

routes=[...]

app = Starlette(routes=routes)

app.add_middleware(OriginAgentCluster)

For more detail on Origin-Agent-Cluster header go to WHATWG Site.

Referrer Policy

ReferrerPolicy class sets the Referrer-Policy header

For FastApi server

from fastapi import FastAPI
from Secweb.ReferrerPolicy import ReferrerPolicy

app = FastAPI()

app.add_middleware(ReferrerPolicy, Option=['strict-origin-when-cross-origin'])

For Starlette server

from starlette.applications import Starlette
from Secweb.ReferrerPolicy import ReferrerPolicy

routes=[...]

app = Starlette(routes=routes)
app.add_middleware(ReferrerPolicy, Option=['strict-origin-when-cross-origin'])

For more detail on Referrer-Policy header go to MDN Docs.

HTTP Strict Transport Security (HSTS)

HSTS class sets the Strict-Transport-Security header

For FastApi server

from fastapi import FastAPI
from Secweb.StrictTransportSecurity import HSTS

app = FastAPI()

app.add_middleware(HSTS, Option={'max-age': 4, 'preload': True})

For Starlette server

from starlette.applications import Starlette
from Secweb.StrictTransportSecurity import HSTS

routes=[...]

app = Starlette(routes=routes)

app.add_middleware(HSTS, Option={'max-age': 4, 'preload': True})

For more detail on Strict-Transport-Security header go to MDN Docs.

HTTP Strict Transport Security (HSTS) for WebSockets

HSTS class sets the Strict-Transport-Security header for Websockets

For FastApi server

from fastapi import FastAPI
from Secweb.WsStrictTransportSecurity import WsHSTS

app = FastAPI()

app.add_middleware(WsHSTS, Option={'max-age': 4, 'preload': True})

For Starlette server

from starlette.applications import Starlette
from Secweb.WsStrictTransportSecurity import WsHSTS

routes=[...]

app = Starlette(routes=routes)

app.add_middleware(WsHSTS, Option={'max-age': 4, 'preload': True})

For more detail on Strict-Transport-Security header go to MDN Docs.

X-Content-Type-Options

XContentTypeOptions class sets the X-Content-Type-Options header the class takes no parameters

For FastApi server

from fastapi import FastAPI
from Secweb.XContentTypeOptions import XContentTypeOptions

app = FastAPI()

app.add_middleware(XContentTypeOptions)

For Starlette server

from starlette.applications import Starlette
from Secweb.XContentTypeOptions import XContentTypeOptions

routes=[...]

app = Starlette(routes=routes)

app.add_middleware(XContentTypeOptions)

For more detail on X-Content-Type-Options header go to MDN Docs.

X-DNS-Prefetch-Control

XDNSPrefetchControl class sets the X-DNS-Prefetch-Control header

For FastApi server

from fastapi import FastAPI
from Secweb.XDNSPrefetchControl import XDNSPrefetchControl

app = FastAPI()

app.add_middleware(XDNSPrefetchControl, Option='on')

For Starlette server

from starlette.applications import Starlette
from Secweb.XDNSPrefetchControl import XDNSPrefetchControl

routes=[...]

app = Starlette(routes=routes)

app.add_middleware(XDNSPrefetchControl, Option='off')

For more detail on X-DNS-Prefetch-Control header go to MDN Docs.

X-Download-Options

XDownloadOptions class sets the X-Download-Options header the class takes no parameter

For FastApi server

from fastapi import FastAPI
from Secweb.XDownloadOptions import XDownloadOptions

app = FastAPI()

app.add_middleware(XDownloadOptions)

For Starlette server

from starlette.applications import Starlette
from Secweb.XDownloadOptions import XDownloadOptions

routes=[...]

app = Starlette(routes=routes)

app.add_middleware(XDownloadOptions)

X-Frame

XFrame class sets the X-Frame-Options header

For FastApi server

from fastapi import FastAPI
from Secweb.XFrameOptions import XFrame

app = FastAPI()

app.add_middleware(XFrame, Option='DENY')

For Starlette server

from starlette.applications import Starlette
from Secweb.XFrameOptions import XFrame

routes=[...]

app = Starlette(routes=routes)

app.add_middleware(XFrame, Option='DENY')

For more detail on X-Frame-Options header go to MDN Docs.

X-Permitted-Cross-Domain-Policies

XPermittedCrossDomainPolicies class sets the X-Permitted-Cross-Domain-Policies header

For FastApi server

from fastapi import FastAPI
from Secweb.XPermittedCrossDomainPolicies import XPermittedCrossDomainPolicies

app = FastAPI()

app.add_middleware(XPermittedCrossDomainPolicies, Option='none')

For Starlette server

from starlette.applications import Starlette
from Secweb.XPermittedCrossDomainPolicies import XPermittedCrossDomainPolicies

routes=[...]

app = Starlette(routes=routes)

app.add_middleware(XPermittedCrossDomainPolicies, Option='none')

For more detail on X-Permitted-Cross-Domain-Policies header go to OWASP Site.

X-XSS-Protection

xXSSProtection class sets the X-XSS-Protection header the class takes no parameter

For FastApi server

from fastapi import FastAPI
from Secweb.xXSSProtection import xXSSProtection

app = FastAPI()

app.add_middleware(xXSSProtection)

For Starlette server

from starlette.applications import Starlette
from Secweb.xXSSProtection import xXSSProtection

routes=[...]

app = Starlette(routes=routes)

app.add_middleware(xXSSProtection)

For more detail on X-XSS-Protection header go to MDN Docs.

Cross Origin Embedder Policy

CrossOriginEmbedderPolicy class sets the Cross Origin Embedder Policy header

For FastApi server

from fastapi import FastAPI
from Secweb.CrossOriginEmbedderPolicy import CrossOriginEmbedderPolicy

app = FastAPI()

app.add_middleware(CrossOriginEmbedderPolicy, Option='unsafe-none')

For Starlette server

from starlette.applications import Starlette
from Secweb.CrossOriginEmbedderPolicy import CrossOriginEmbedderPolicy

routes=[...]

app = Starlette(routes=routes)

app.add_middleware(CrossOriginEmbedderPolicy, Option='unsafe-none')

For more detail on Cross Origin Embedder Policy header go to MDN Docs.

Cross Origin Opener Policy

CrossOriginOpenerPolicy class sets the Cross Origin Opener Policy header

For FastApi server

from fastapi import FastAPI
from Secweb.CrossOriginOpenerPolicy import CrossOriginOpenerPolicy

app = FastAPI()

app.add_middleware(CrossOriginOpenerPolicy, Option='unsafe-none')

For Starlette server

from starlette.applications import Starlette
from Secweb.CrossOriginOpenerPolicy import CrossOriginOpenerPolicy

routes=[...]

app = Starlette(routes=routes)

app.add_middleware(CrossOriginOpenerPolicy, Option='unsafe-none')

For more detail on Cross Origin Opener Policy header go to MDN Docs.

Cross Origin Resource Policy

CrossOriginResourcePolicy class sets the Cross Origin Resource Policy header

For FastApi server

from fastapi import FastAPI
from Secweb.CrossOriginResourcePolicy import CrossOriginResourcePolicy

app = FastAPI()

app.add_middleware(CrossOriginResourcePolicy, Option='same-site')

For Starlette server

from starlette.applications import Starlette
from Secweb.CrossOriginResourcePolicy import CrossOriginResourcePolicy

routes=[...]

app = Starlette(routes=routes)

app.add_middleware(CrossOriginResourcePolicy, Option='same-site')

For more detail on Cross Origin Resource Policy header go to MDN Docs.

Clear Site Data

ClearSiteData class sets the Clear-Site-Data header. In this class the routes array is compulsory so that the header can only be applied to the specified route as it clears every data on the users browser you can add static, dynamic routes like shown below.

For FastApi server

from fastapi import FastAPI
from Secweb.ClearSiteData import ClearSiteData

app = FastAPI()

app.add_middleware(ClearSiteData, Option={'cookies': True}, Routes=['/login', '/logout/{id}'])

For Starlette server

from starlette.applications import Starlette
from Secweb.ClearSiteData import ClearSiteData

routes=[...]

app = Starlette(routes=routes)

app.add_middleware(ClearSiteData, Option={'cookies': True}, Routes=['/login', '/logout/{id}'])

For more detail on Clear Site Data Header go to MDN Docs.

Cache Control

CacheControl class sets the Cache-Control header. This is useful for controlling cached data on user`s browser

For FastApi server

from fastapi import FastAPI
from Secweb.CacheControl import CacheControl

app = FastAPI()

app.add_middleware(CacheControl, Option={'s-maxage': 600, 'public': True})

For Starlette server

from starlette.applications import Starlette
from Secweb.CacheControl import CacheControl

routes=[...]

app = Starlette(routes=routes)

app.add_middleware(CacheControl, Option={'s-maxage': 600, 'public': True})

For more detail on Cache Control Header go to MDN Docs.

Contributing

Pull requests and Issues are welcome. For major changes, please open an issue first to discuss what you would like to change.

Github

License

MLP 2.0

Secweb Icon

Secweb Icon © 2021 - 2026 by Motagamwala Taha Arif Ali is licensed under Attribution-NonCommercial-NoDerivatives 4.0 International

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for tmotagam from gravatar.com tmotagam

Unverified details

These details have not been verified by PyPI
Meta
Classifiers

Release history Release notifications | RSS feed

This version

1.30.10

1.25.2

1.18.1

1.11.0

1.9.1

1.7.2

1.7.1 yanked

1.6.0

1.5.1

1.3.0

1.0.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

secweb-1.30.10.tar.gz (26.9 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

secweb-1.30.10-py3-none-any.whl (42.0 kB view details)

Uploaded Python 3

File details

Details for the file secweb-1.30.10.tar.gz.

File metadata

  • Download URL: secweb-1.30.10.tar.gz
  • Upload date:
  • Size: 26.9 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for secweb-1.30.10.tar.gz
Algorithm Hash digest
SHA256 49c5f9a2fb1361b98cd7434c1e377e4714b5309d29bb9005acd249e0cf170949
MD5 983bb889bfc406d3a78940fcaf686dc2
BLAKE2b-256 a275e3e038a00d21d576547631b31f603edb44d2575305a7d7fb46f36cb74eba

See more details on using hashes here.

Provenance

The following attestation bundles were made for secweb-1.30.10.tar.gz:

Publisher: publish.yml on tmotagam/Secweb

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file secweb-1.30.10-py3-none-any.whl.

File metadata

  • Download URL: secweb-1.30.10-py3-none-any.whl
  • Upload date:
  • Size: 42.0 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for secweb-1.30.10-py3-none-any.whl
Algorithm Hash digest
SHA256 4fa2f7caeeb16552b4aa8c2e5dc94e094ef32491b22b2e527b7dc355523a57ee
MD5 4f168d296351b07c70f7ce630ce994f4
BLAKE2b-256 c8ba9b0d38221a24f5fd7de7b032e4ce976029cbdca2d2c15b76804d3830b2a8

See more details on using hashes here.

Provenance

The following attestation bundles were made for secweb-1.30.10-py3-none-any.whl:

Publisher: publish.yml on tmotagam/Secweb

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page