Security Headers Manager¶
The Security Headers Manager provides comprehensive HTTP security header management following OWASP best practices.
Overview¶
The SecurityHeadersManager is a singleton class that manages security headers for HTTP responses, including Content Security Policy (CSP), HTTP Strict Transport Security (HSTS), and other essential security headers.
Class Reference¶
SecurityHeadersManager¶
Methods¶
configure¶
Configure security headers settings.
security_headers_manager.configure(
enabled=True,
csp={
"default-src": ["'self'"],
"script-src": ["'self'", "https://trusted.cdn.com"],
"style-src": ["'self'", "'unsafe-inline'"],
"img-src": ["'self'", "data:", "https:"],
"font-src": ["'self'", "https://fonts.gstatic.com"],
"connect-src": ["'self'"],
"frame-ancestors": ["'none'"],
"base-uri": ["'self'"],
"form-action": ["'self'"]
},
hsts_max_age=31536000, # 1 year
hsts_include_subdomains=True,
hsts_preload=False,
frame_options="SAMEORIGIN",
content_type_options="nosniff",
xss_protection="1; mode=block",
referrer_policy="strict-origin-when-cross-origin",
permissions_policy="geolocation=(), microphone=(), camera=()",
custom_headers={
"X-Custom-Header": "CustomValue"
},
cors_origins=["https://app.example.com"],
cors_allow_credentials=True,
cors_allow_methods=["GET", "POST"],
cors_allow_headers=["*"]
)
Parameters:
enabled(bool): Enable/disable security headers. Default:Truecsp(dict[str, list[str]] | None): Content Security Policy directiveshsts_max_age(int | None): HSTS max-age in seconds (e.g., 31536000 for 1 year)hsts_include_subdomains(bool): Include subdomains in HSTS. Default:Truehsts_preload(bool): Enable HSTS preload. Default:Falseframe_options(str | None): X-Frame-Options value (DENY,SAMEORIGIN)content_type_options(str | None): X-Content-Type-Options valuexss_protection(str | None): X-XSS-Protection valuereferrer_policy(str | None): Referrer-Policy valuepermissions_policy(str | None): Permissions-Policy valuecustom_headers(dict[str, str] | None): Additional custom security headerscors_origins(list[str] | None): Allowed CORS originscors_allow_credentials(bool): Allow credentials in CORS. Default:Falsecors_allow_methods(list[str] | None): Allowed CORS methodscors_allow_headers(list[str] | None): Allowed CORS headers
get_headers¶
Get security headers for a response.
Parameters:
request_path(str | None): Optional request path for path-specific headers
Returns:
dict[str, str]: Dictionary of security headers
get_cors_headers¶
Get CORS headers if origin is allowed.
Parameters:
origin(str): Request origin
Returns:
dict[str, str]: Dictionary of CORS headers
validate_csp_report¶
Validate and process CSP violation reports.
is_valid = await security_headers_manager.validate_csp_report(
report={
"csp-report": {
"document-uri": "https://example.com/page",
"violated-directive": "script-src",
"blocked-uri": "https://evil.com/script.js",
"source-file": "https://example.com/app.js",
"line-number": 10
}
}
)
Parameters:
report(dict[str, Any]): CSP violation report
Returns:
bool: True if report is valid
initialize_redis¶
Initialize Redis connection for caching header configurations.
Parameters:
redis_handler(Any): Redis handler instance
initialize_agent¶
Initialize agent integration for security event tracking.
Parameters:
agent_handler(Any): Agent handler instance
reset¶
Reset all security headers configuration.
Default Headers¶
The following headers are configured by default:
| Header | Default Value | Description |
|---|---|---|
X-Content-Type-Options |
nosniff |
Prevents MIME type sniffing |
X-Frame-Options |
SAMEORIGIN |
Prevents clickjacking attacks |
X-XSS-Protection |
1; mode=block |
Enables XSS filtering |
Referrer-Policy |
strict-origin-when-cross-origin |
Controls referrer information |
Permissions-Policy |
geolocation=(), microphone=(), camera=() |
Restricts browser features |
X-Permitted-Cross-Domain-Policies |
none |
Restricts Adobe Flash cross-domain access |
X-Download-Options |
noopen |
Prevents file download execution in IE |
Cross-Origin-Embedder-Policy |
require-corp |
Controls cross-origin resource embedding |
Cross-Origin-Opener-Policy |
same-origin |
Controls cross-origin window interactions |
Cross-Origin-Resource-Policy |
same-origin |
Controls cross-origin resource access |
Content Security Policy (CSP)¶
CSP helps prevent XSS attacks by specifying which sources are allowed for various content types.
Common CSP Directives¶
default-src: Default policy for all resource typesscript-src: Valid sources for JavaScriptstyle-src: Valid sources for stylesheetsimg-src: Valid sources for imagesfont-src: Valid sources for fontsconnect-src: Valid sources for fetch, XMLHttpRequest, WebSocketframe-src: Valid sources for framesframe-ancestors: Valid parents that may embed a pagebase-uri: Restricts URLs for<base>elementform-action: Valid endpoints for form submissionsreport-uri: URL to send CSP violation reports
CSP Source Values¶
'self': Same origin'none': No sources allowed'unsafe-inline': Allow inline scripts/styles (use with caution)'unsafe-eval': Allow eval() (use with caution)https:: Any HTTPS sourcedata:: Data URIs- Specific domains:
https://trusted.cdn.com
HTTP Strict Transport Security (HSTS)¶
HSTS forces browsers to use HTTPS connections.
HSTS Configuration¶
hsts_config = {
"max_age": 31536000, # 1 year in seconds
"include_subdomains": True, # Apply to all subdomains
"preload": False # Submit to HSTS preload list
}
HSTS Preload Requirements¶
To enable HSTS preload:
- Serve a valid certificate
- Redirect all HTTP to HTTPS
- Serve all subdomains over HTTPS
- Set
max_ageto at least 31536000 (1 year) - Include
includeSubDomains - Include
preload
CORS Integration¶
The Security Headers Manager integrates with CORS configuration:
# CORS headers are automatically added when:
# 1. An origin header is present in the request
# 2. The origin is in the allowed list
cors_config = {
"origins": ["https://app.example.com", "https://admin.example.com"],
"allow_credentials": True,
"allow_methods": ["GET", "POST", "PUT", "DELETE"],
"allow_headers": ["*"]
}
Redis Caching¶
Header configurations are cached in Redis for performance:
- CSP configuration: Cached with key
security_headers:csp_config - HSTS configuration: Cached with key
security_headers:hsts_config - Custom headers: Cached with key
security_headers:custom_headers - TTL: 86400 seconds (24 hours)
Agent Integration¶
When agent is configured, the following events are sent:
security_headers_applied: When headers are added to a responsecsp_violation: When a CSP violation report is received
Example Usage¶
Basic Configuration¶
from fastapi import FastAPI
from guard.middleware import SecurityMiddleware
from guard import SecurityConfig
app = FastAPI()
config = SecurityConfig(
security_headers={
"enabled": True,
"hsts": {
"max_age": 31536000,
"include_subdomains": True,
"preload": False
},
"frame_options": "DENY",
"content_type_options": "nosniff",
"xss_protection": "1; mode=block",
"referrer_policy": "no-referrer",
"permissions_policy": "geolocation=(), microphone=(), camera=()"
}
)
app.add_middleware(SecurityMiddleware, config=config)
Advanced CSP Configuration¶
config = SecurityConfig(
security_headers={
"enabled": True,
"csp": {
"default-src": ["'self'"],
"script-src": ["'self'", "'unsafe-inline'", "https://cdn.jsdelivr.net"],
"style-src": ["'self'", "'unsafe-inline'", "https://fonts.googleapis.com"],
"img-src": ["'self'", "data:", "https:"],
"font-src": ["'self'", "https://fonts.gstatic.com"],
"connect-src": ["'self'", "https://api.example.com"],
"frame-ancestors": ["'none'"],
"base-uri": ["'self'"],
"form-action": ["'self'"],
"report-uri": ["/api/csp-report"]
}
}
)
CSP Report Endpoint¶
from fastapi import Request
@app.post("/api/csp-report")
async def handle_csp_report(request: Request):
report = await request.json()
is_valid = await security_headers_manager.validate_csp_report(report)
if is_valid:
# Report is logged automatically by the manager
return {"status": "received"}
return {"status": "invalid"}
Disabling Specific Headers¶
config = SecurityConfig(
security_headers={
"enabled": True,
"frame_options": None, # Disable X-Frame-Options
"permissions_policy": None, # Disable Permissions-Policy
# Other headers remain at defaults
}
)
Best Practices¶
- Gradual HSTS Rollout: Start with a small
max_ageand gradually increase - Test Thoroughly: Security headers can break functionality if too restrictive
- Monitor CSP Reports: Set up monitoring for CSP violations
- Use HTTPS: Many security headers require HTTPS to be effective
- Browser Compatibility: Check browser support for specific headers
Security Considerations¶
- Header Injection Prevention: All header values are validated against injection attacks, newlines, and excessive length
- CORS Security: Wildcard origins (
*) cannot be used with credentials to prevent security vulnerabilities - Thread Safety: SecurityHeadersManager uses thread-safe singleton pattern with double-checked locking
- Cache Security: Cache keys are generated using SHA256 hashing to prevent cache poisoning attacks
- CSP Validation: Unsafe directives like
'unsafe-inline'and'unsafe-eval'trigger security warnings - HSTS Preload: Strict validation ensures preload requirements (max_age ≥ 1 year, includeSubDomains)
- CSP Bypasses: Be aware of potential CSP bypasses with
'unsafe-inline'and'unsafe-eval' - HSTS Commitment: Once HSTS is enabled with a long
max_age, it cannot be easily undone - Frame Options: Consider using CSP's
frame-ancestorsinstead ofX-Frame-Options - Legacy Headers: Some headers like
X-XSS-Protectionare being phased out in modern browsers - Performance: Complex CSP policies can impact page load performance
See Also¶
- HTTP Security Headers Tutorial - Comprehensive guide
- Security Configuration - Configuration options
- Security Middleware - Middleware integration