core.securityheaders
¶
- This module provides configuration for most of the http security headers. The features currently supported are:
Content security policy (https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP)
Strict transport security (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security)
X-Frame-Options (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options)
X-XSS-Protection (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection)
X-Content-Type-Options (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options)
X-Permitted-Cross-Domain-Policies (https://www.adobe.com/devnet-docs/acrobatetk/tools/AppSec/xdomain.html)
Referrer-Policy (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy)
Permissions-Policy (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy)
Cross origin isolation (https://web.dev/coop-coep)
If a feature is not yet supported, you could always set the header directly (e.g. by attaching a request preprocessor). ViUR contains a default configuration for most of these headers where possible, however manual review is mandatory for each project.
The content security policy will prevent inline css and javascript by default, but is configured to allow embedding images from cloud-storage and sign-in with google.
Strict transport security is enabled by default (with a TTL of one year), but without preload or include-subdomains.
X-Frame-Options is limited to the same origin, preventing urls from this project from being embedded in iframes that don’t originate from the same origin.
X-XSS-Protection is enabled.
X-Content-Type-Options is set to nosniff
X-Permitted-Cross-Domain-Policies is set to “none”, denying embedding resources in pdf files and the like
Referrer-Policy is set to strict-origin, preventing leakage of URLs to 3rd-partys.
The Permissions-Policy will only allow auto-play by default (thus access to the camera-api etc. is disabled)
Cross origin isolation is currently disabled by default (as it’s incompatible with many popular services like embedding a map or sign-in with google).
ViUR also protects it’s cookies by default (setting httponly, secure and samesite=lax). This can be changed by setting the corresponding class-level variables on class:Session<viur.core.session.Session>.
Module Contents¶
Functions¶
|
This function helps configuring and reporting of content security policy rules and violations. |
Rebuilds the internal conf.security.content_security_policy["_headerCache"] dictionary, ie. it constructs |
|
|
Adds additional csp rules to the current request. ViUR will emit a default csp-header based on the |
|
Enables HTTP strict transport security. |
|
Sets X-Frame-Options to prevent click-jacking attacks. |
|
Sets X-XSS-Protection header. If set, mode will always be block. |
|
Sets X-Content-Type-Options if enable is true, otherwise no header is emited. |
|
|
Rebuilds the internal conf.security.permissions_policy["_headerCache"] string, ie. it constructs |
|
|
Set the permission policy. |
|
Configures the cross origin isolation header that ViUR may emit. This is necessary to enable features like |
Attributes¶
- core.securityheaders.addCspRule(objectType, srcOrDirective, enforceMode='monitor')¶
This function helps configuring and reporting of content security policy rules and violations. To enable CSP, call addCspRule() from your projects main file before calling server.setup().
# Example Usage # Enable CSP for all types and made us the only allowed source security.addCspRule("default-src","self","enforce") # Start a new set of rules for stylesheets whitelist us security.addCspRule("style-src","self","enforce") # This is currently needed for TextBones! security.addCspRule("style-src","unsafe-inline","enforce")
If you don’t want these rules to be enforced and just getting a report of violations replace “enforce” with “monitor”. To add a report-url use something like:
security.addCspRule("report-uri","/cspReport","enforce")
and register a function at /cspReport to handle the reports.
..note:
Our tests showed that enabling a report-url on production systems has limited use. There are literally thousands of browser-extensions out there that inject code into the pages displayed. This causes a whole flood of violations-spam to your report-url.
- Parameters:
objectType (str) – For which type of objects should this directive be enforced? (script-src, img-src, …)
srcOrDirective (str) – Either a domain which should be white-listed or a CSP-Keyword like ‘self’, ‘unsafe-inline’, etc.
enforceMode (str) – Should this directive be enforced or just logged?
- core.securityheaders._rebuildCspHeaderCache()¶
Rebuilds the internal conf.security.content_security_policy[“_headerCache”] dictionary, ie. it constructs the Content-Security-Policy-Report-Only and Content-Security-Policy headers based on what has been passed to ‘addRule’ earlier on. Should not be called directly.
- core.securityheaders.extendCsp(additionalRules=None, overrideRules=None)¶
Adds additional csp rules to the current request. ViUR will emit a default csp-header based on the project-wide config. For some requests, it’s needed to extend or override these rules without having to include them in the project config. Each dictionary must be in the same format as the conf.security.content_security_policy. Values in additionalRules will extend the project-specific configuration, while overrideRules will replace them.
..Note: This function will only work on CSP-Rules in “enforce” mode, “monitor” is not suppored
- Parameters:
additionalRules (dict) – Dictionary with additional csp-rules to emit
overrideRules (dict) – Values in this dictionary will override the corresponding default rule
- Return type:
None
- core.securityheaders.enableStrictTransportSecurity(maxAge=365 * 24 * 60 * 60, includeSubDomains=False, preload=False)¶
Enables HTTP strict transport security.
- Parameters:
maxAge (int) – The time, in seconds, that the browser should remember that this site is only to be accessed using HTTPS.
includeSubDomains (bool) – If this parameter is set, this rule applies to all of the site’s subdomains as well.
preload (bool) – If set, we’ll issue a hint that preloading would be appreciated.
- Return type:
None
- core.securityheaders.setXFrameOptions(action, uri=None)¶
Sets X-Frame-Options to prevent click-jacking attacks. :param action: off | deny | sameorigin | allow-from :param uri: URL to whitelist
- Parameters:
action (str) –
uri (Optional[str]) –
- Return type:
None
- core.securityheaders.setXXssProtection(enable)¶
Sets X-XSS-Protection header. If set, mode will always be block. :param enable: Enable the protection or not. Set to None to drop this header
- Parameters:
enable (Optional[bool]) –
- Return type:
None
- core.securityheaders.setXContentTypeNoSniff(enable)¶
Sets X-Content-Type-Options if enable is true, otherwise no header is emited. :param enable: Enable emitting this header or not
- Parameters:
enable (bool) –
- Return type:
None
- core.securityheaders.setXPermittedCrossDomainPolicies(value)¶
- Parameters:
value (str) –
- Return type:
None
- core.securityheaders.validReferrerPolicies = ['no-referrer', 'no-referrer-when-downgrade', 'origin', 'origin-when-cross-origin',...¶
- core.securityheaders.setReferrerPolicy(policy)¶
- Parameters:
policy (str) – The referrer policy to send
- core.securityheaders._rebuildPermissionHeaderCache()¶
Rebuilds the internal conf.security.permissions_policy[“_headerCache”] string, ie. it constructs the actual header string that’s being emitted to the clients.
- Return type:
None
- core.securityheaders.setPermissionPolicyDirective(directive, allowList)¶
- Set the permission policy.
- param directive:
The directive to set. Must be one of https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy#directives
- param allowList:
The list of allowed origins. Use “self” to allow the current domain. Empty list means the feature will be disabled by the browser (it’s not accessible by javascript)
- Parameters:
directive (str) –
allowList (Optional[list[str]]) –
- Return type:
None
- core.securityheaders.setCrossOriginIsolation(coep, coop, corp)¶
Configures the cross origin isolation header that ViUR may emit. This is necessary to enable features like SharedArrayBuffer. See https://web.dev/coop-coep for more information.
- param coep:
If set True, we’ll emit Cross-Origin-Embedder-Policy: - require-corp
- param coop:
The value for the Cross-Origin-Opener-Policy header. Valid values are - same-origin - same-origin-allow-popups - unsafe-none
- param corp:
The value for the Cross-Origin-Resource-Policy header. Valid values are - same-site - same-origin - cross-origin
- Parameters:
coep (bool) –
coop (str) –
corp (str) –
- Return type:
None