The latest articles on Forem by tmotagam (@tmotagam). https://forem.com/tmotagam https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F999935%2F7c12135c-fa90-4ee2-8e4d-87ae25450c8a.png https://forem.com/tmotagam en tmotagam Sun, 01 Jan 2023 15:21:36 +0000 https://forem.com/tmotagam/introducing-secweb-security-headers-for-fastapi-and-starlette-framework-4ohl https://forem.com/tmotagam/introducing-secweb-security-headers-for-fastapi-and-starlette-framework-4ohl <h2> UPDATE </h2> <p>Secweb now supports CSP report-only header, Removed the Expect-CT header, added Clear-Site-Data and Cache-Control headers, added an easier way to write headers, and added types for improved developer experience.</p> <h2> What is Secweb? </h2> <p>Secweb is a library of middlewares that helps you in setting security headers in FastAPI and Starlette frameworks. It uses ASGI Middleware implementation which improves performance and has very little overhead. Implements recommendations from MDN and OWASP. This allows the library to stay up to date with all the newer standards and best practices.</p> <h2> Why Use Secweb? </h2> <p>Secweb makes it easy to add security headers or to change the parameters of those headers without you having to get your hands into the intricacies of the Starlette framework so you can write your business logic without any worries and it also secures all of your APIs.</p> <h2> How to Use Secweb </h2> <p>First we will install the library using the pip command. You can use any package manager you like, e.g., poetry, conda, pipenv, etc.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="n">pip</span><span class="w"> </span><span class="nx">install</span><span class="w"> </span><span class="nx">Secweb</span><span class="w"> </span></code></pre> </div> <p>Now you can import it into any of your existing or new FastAPI or Starlette projects. For this blog, I am creating a new dummy FastAPI project.</p> <p>Example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">fastapi</span> <span class="kn">import</span> <span class="n">FastAPI</span> <span class="kn">from</span> <span class="n">Secweb</span> <span class="kn">import</span> <span class="n">SecWeb</span> <span class="n">app</span> <span class="o">=</span> <span class="nc">FastAPI</span><span class="p">()</span> <span class="nc">SecWeb</span><span class="p">(</span><span class="n">app</span><span class="o">=</span><span class="n">app</span><span class="p">)</span> <span class="nd">@app.get</span><span class="p">(</span><span class="sh">"</span><span class="s">/</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">root</span><span class="p">():</span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">message</span><span class="sh">"</span><span class="p">:</span> <span class="sh">'</span><span class="s">Hello World</span><span class="sh">'</span><span class="p">}</span> </code></pre> </div> <p>Now your API is secured by Secweb. It is this easy to add Secweb to your projects. All the important headers are activated by default (e.g., Content Security Policy (CSP), Strict Transport Security (HSTS), etc.). If you want you can even change all the parameters of those headers according to your needs. Don't worry—all the other headers are also activated with their default settings so that you don't unnecessarily increase security risk of your APIs.</p> <p>Example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">fastapi</span> <span class="kn">import</span> <span class="n">FastAPI</span> <span class="kn">from</span> <span class="n">Secweb</span> <span class="kn">import</span> <span class="n">SecWeb</span> <span class="n">app</span> <span class="o">=</span> <span class="nc">FastAPI</span><span class="p">()</span> <span class="nc">SecWeb</span><span class="p">(</span><span class="n">app</span><span class="o">=</span><span class="n">app</span><span class="p">,</span> <span class="n">Option</span><span class="o">=</span><span class="p">{</span><span class="sh">'</span><span class="s">hsts</span><span class="sh">'</span><span class="p">:</span> <span class="p">{</span><span class="sh">'</span><span class="s">max-age</span><span class="sh">'</span><span class="p">:</span> <span class="mi">432000</span><span class="p">,</span> <span class="sh">'</span><span class="s">preload</span><span class="sh">'</span><span class="p">:</span> <span class="bp">False</span><span class="p">}})</span> <span class="nd">@app.get</span><span class="p">(</span><span class="sh">"</span><span class="s">/</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">root</span><span class="p">():</span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">message</span><span class="sh">"</span><span class="p">:</span> <span class="sh">'</span><span class="s">Hello World</span><span class="sh">'</span><span class="p">}</span> </code></pre> </div> <p>All the headers are also available as standalone in the library for you to use. Remember that using only the standalone headers will only activate those headers, others will remain deactivated.</p> <p>Example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">fastapi</span> <span class="kn">import</span> <span class="n">FastAPI</span> <span class="kn">from</span> <span class="n">Secweb.ContentSecurityPolicy</span> <span class="kn">import</span> <span class="n">ContentSecurityPolicy</span> <span class="n">app</span> <span class="o">=</span> <span class="nc">FastAPI</span><span class="p">()</span> <span class="n">app</span><span class="p">.</span><span class="nf">add_middleware</span><span class="p">(</span><span class="n">ContentSecurityPolicy</span><span class="p">,</span> <span class="n">Option</span><span class="o">=</span><span class="p">{</span><span class="sh">'</span><span class="s">default-src</span><span class="sh">'</span><span class="p">:</span> <span class="p">[</span><span class="sh">"'</span><span class="s">self</span><span class="sh">'"</span><span class="p">],</span> <span class="sh">'</span><span class="s">style-src</span><span class="sh">'</span><span class="p">:</span> <span class="p">[</span><span class="sh">"'</span><span class="s">self</span><span class="sh">'"</span><span class="p">]})</span> <span class="c1"># report-only mode # app.add_middleware(ContentSecurityPolicy, Option={'default-src': ["'self'"], 'style-src': ["'self'"]}, report_only=True) </span> <span class="nd">@app.get</span><span class="p">(</span><span class="sh">"</span><span class="s">/</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">root</span><span class="p">():</span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">message</span><span class="sh">"</span><span class="p">:</span> <span class="sh">'</span><span class="s">Hello World</span><span class="sh">'</span><span class="p">}</span> </code></pre> </div> <p>For more information on all the headers provided by the Secweb library you can go to <a href="https://github.com/tmotagam/secweb#readme" rel="noopener noreferrer">GitHub</a> to read the detailed documentation.</p> <p>Hope this helps you in your projects 👋 Bye.</p> fastapi python security webdev