core.securityheaders

Module Contents

Functions

addCspRule(objectType, srcOrDirective, enforceMode='monitor')

This function helps configuring and reporting of content security policy rules and violations.

_rebuildCspHeaderCache()

Rebuilds the internal conf[“viur.security.contentSecurityPolicy”][“_headerCache”] dictionary, ie. it constructs

enableStrictTransportSecurity(maxAge=365 * 24 * 60 * 60, includeSubDomains=False, preload=False)

Enables HTTP strict transport security.

setPublicKeyPins(pins, method='sha256', maxAge=2 * 24 * 60 * 60, includeSubDomains=False, reportUri=None)

Set certificate pins. There must be at least two pins.

setXFrameOptions(action, uri=None)

Sets X-Frame-Options to prevent click-jacking attacks.

setXXssProtection(enable)

Sets X-XSS-Protection header. If set, mode will always be block.

setXContentTypeNoSniff(enable)

Sets X-Content-Type-Options if enable is true, otherwise no header is emited.

setXPermittedCrossDomainPolicies(value)

core.securityheaders.addCspRule(objectType, srcOrDirective, enforceMode='monitor')

This function helps configuring and reporting of content security policy rules and violations. To enable CSP, call addCspRule() from your projects main file before calling server.setup().

Example usage:

security.addCspRule("default-src","self","enforce") #Enable CSP for all types and made us the only allowed source

security.addCspRule("style-src","self","enforce") # Start a new set of rules for stylesheets whitelist us
security.addCspRule("style-src","unsafe-inline","enforce") # This is currently needed for textBones!

If you don’t want these rules to be enforced and just getting a report of violations replace “enforce” with “monitor”. To add a report-url use something like:

security.addCspRule("report-uri","/cspReport","enforce")

and register a function at /cspReport to handle the reports.

..note:

Our tests showed that enabling a report-url on production systems has limited use. There are literally
thousands of browser-extensions out there that inject code into the pages displayed. This causes a whole
flood of violations-spam to your report-url.
Parameters
  • objectType (str) – For which type of objects should this directive be enforced? (script-src, img-src, …)

  • srcOrDirective (str) – Either a domain which should be white-listed or a CSP-Keyword like ‘self’, ‘unsafe-inline’, etc.

  • enforceMode ('monitor' or 'enforce') – Should this directive be enforced or just logged?

core.securityheaders._rebuildCspHeaderCache()

Rebuilds the internal conf[“viur.security.contentSecurityPolicy”][“_headerCache”] dictionary, ie. it constructs the Content-Security-Policy-Report-Only and Content-Security-Policy headers based on what has been passed to ‘addRule’ earlier on. Should not be called directly.

core.securityheaders.enableStrictTransportSecurity(maxAge=365 * 24 * 60 * 60, includeSubDomains=False, preload=False)

Enables HTTP strict transport security.

Parameters
  • maxAge – The time, in seconds, that the browser should remember that this site is only to be accessed using HTTPS.

  • includeSubDomains – If this parameter is set, this rule applies to all of the site’s subdomains as well.

  • preload – If set, we’ll issue a hint that preloading would be appreciated.

Returns

None

core.securityheaders.setPublicKeyPins(pins, method='sha256', maxAge=2 * 24 * 60 * 60, includeSubDomains=False, reportUri=None)

Set certificate pins. There must be at least two pins. See https://developer.mozilla.org/en/docs/Web/Security/Public_Key_Pinning for more details. :param pins: List of Pins :param method: Hash algorithm used. Must be currently sha256. :param maxAge: The time, in seconds, that the browser should remember that this site is only to be accessed using one of the pinned keys. :param includeSubDomains: If this optional parameter is specified, this rule applies to all of the site’s subdomains as well. :param reportUri: If this optional parameter is specified, pin validation failures are reported to the given URL. :return: None

core.securityheaders.setXFrameOptions(action, uri=None)

Sets X-Frame-Options to prevent click-jacking attacks. :param action: off | deny | sameorigin | allow-from :type action: str :param uri: URL to whitelist :type uri: str :return:

core.securityheaders.setXXssProtection(enable)

Sets X-XSS-Protection header. If set, mode will always be block. :param enable: Enable the protection or not. Set to None to drop this header :type enable: bool | None :return:

core.securityheaders.setXContentTypeNoSniff(enable)

Sets X-Content-Type-Options if enable is true, otherwise no header is emited. :param enable: Enable emitting this header or not :type enable: bool :return:

core.securityheaders.setXPermittedCrossDomainPolicies(value)