core.securityheaders

This module provides configuration for most of the http security headers. The features currently supported are

If a feature is not yet supported, you could always set the header directly (e.g. by attaching a request preprocessor). ViUR contains a default configuration for most of these headers where possible, however manual review is mandatory for each project.

The content security policy will prevent inline css and javascript by default, but is configured to allow embedding images from cloud-storage and sign-in with google.

Strict transport security is enabled by default (with a TTL of one year), but without preload or include-subdomains.

X-Frame-Options is limited to the same origin, preventing urls from this project from being embedded in iframes that don’t originate from the same origin.

X-XSS-Protection is enabled.

X-Content-Type-Options is set to nosniff

X-Permitted-Cross-Domain-Policies is set to “none”, denying embedding resources in pdf files and the like

Referrer-Policy is set to strict-origin, preventing leakage of URLs to 3rd-partys.

The Permissions-Policy will only allow auto-play by default (thus access to the camera-api etc. is disabled)

Cross origin isolation is currently disabled by default (as it’s incompatible with many popular services like embedding a map or sign-in with google).

ViUR also protects it’s cookies by default (setting httponly, secure and samesite=lax). This can be changed by setting the corresponding class-level variables on class:GaeSession<viur.core.session.GaeSession>.

Module Contents

Functions

addCspRule(objectType, srcOrDirective[, enforceMode])

This function helps configuring and reporting of content security policy rules and violations.

_rebuildCspHeaderCache()

Rebuilds the internal conf["viur.security.contentSecurityPolicy"]["_headerCache"] dictionary, ie. it constructs

extendCsp(→ None)

Adds additional csp rules to the current request. ViUR will emit a default csp-header based on the

enableStrictTransportSecurity(→ None)

Enables HTTP strict transport security.

setXFrameOptions(→ None)

Sets X-Frame-Options to prevent click-jacking attacks.

setXXssProtection(→ None)

Sets X-XSS-Protection header. If set, mode will always be block.

setXContentTypeNoSniff(→ None)

Sets X-Content-Type-Options if enable is true, otherwise no header is emited.

setXPermittedCrossDomainPolicies(→ None)

setReferrerPolicy(policy)

param policy:

The referrer policy to send

_rebuildPermissionHeaderCache(→ None)

Rebuilds the internal conf["viur.security.permissionsPolicy"]["_headerCache"] string, ie. it constructs

setPermissionPolicyDirective(→ None)

Set the permission policy :param: directive the list of allowed origins in :param: allowList.

setCrossOriginIsolation(→ None)

Configures the cross origin isolation header that ViUR may emit. This is necessary to enable features like

Attributes

validReferrerPolicies

core.securityheaders.addCspRule(objectType: str, srcOrDirective: str, enforceMode: str = 'monitor')

This function helps configuring and reporting of content security policy rules and violations. To enable CSP, call addCspRule() from your projects main file before calling server.setup().

Example usage:

security.addCspRule("default-src","self","enforce") #Enable CSP for all types and made us the only allowed source

security.addCspRule("style-src","self","enforce") # Start a new set of rules for stylesheets whitelist us
security.addCspRule("style-src","unsafe-inline","enforce") # This is currently needed for TextBones!

If you don’t want these rules to be enforced and just getting a report of violations replace “enforce” with “monitor”. To add a report-url use something like:

security.addCspRule("report-uri","/cspReport","enforce")

and register a function at /cspReport to handle the reports.

..note:

Our tests showed that enabling a report-url on production systems has limited use. There are literally
thousands of browser-extensions out there that inject code into the pages displayed. This causes a whole
flood of violations-spam to your report-url.
Parameters:
  • objectType – For which type of objects should this directive be enforced? (script-src, img-src, …)

  • srcOrDirective – Either a domain which should be white-listed or a CSP-Keyword like ‘self’, ‘unsafe-inline’, etc.

  • enforceMode – Should this directive be enforced or just logged?

core.securityheaders._rebuildCspHeaderCache()

Rebuilds the internal conf[“viur.security.contentSecurityPolicy”][“_headerCache”] dictionary, ie. it constructs the Content-Security-Policy-Report-Only and Content-Security-Policy headers based on what has been passed to ‘addRule’ earlier on. Should not be called directly.

core.securityheaders.extendCsp(additionalRules: dict = None, overrideRules: dict = None) None

Adds additional csp rules to the current request. ViUR will emit a default csp-header based on the project-wide config. For some requests, it’s needed to extend or override these rules without having to include them in the project config. Each dictionary must be in the same format as the conf[“viur.security.contentSecurityPolicy”]. Values in additionalRules will extend the project-specific configuration, while overrideRules will replace them.

..Note: This function will only work on CSP-Rules in “enforce” mode, “monitor” is not suppored

Parameters:
  • additionalRules – Dictionary with additional csp-rules to emit

  • overrideRules – Values in this dictionary will override the corresponding default rule

core.securityheaders.enableStrictTransportSecurity(maxAge: int = 365 * 24 * 60 * 60, includeSubDomains: bool = False, preload: bool = False) None

Enables HTTP strict transport security.

Parameters:
  • maxAge – The time, in seconds, that the browser should remember that this site is only to be accessed using HTTPS.

  • includeSubDomains – If this parameter is set, this rule applies to all of the site’s subdomains as well.

  • preload – If set, we’ll issue a hint that preloading would be appreciated.

core.securityheaders.setXFrameOptions(action: str, uri: str | None = None) None

Sets X-Frame-Options to prevent click-jacking attacks. :param action: off | deny | sameorigin | allow-from :param uri: URL to whitelist

core.securityheaders.setXXssProtection(enable: bool | None) None

Sets X-XSS-Protection header. If set, mode will always be block. :param enable: Enable the protection or not. Set to None to drop this header

core.securityheaders.setXContentTypeNoSniff(enable: bool) None

Sets X-Content-Type-Options if enable is true, otherwise no header is emited. :param enable: Enable emitting this header or not

core.securityheaders.setXPermittedCrossDomainPolicies(value: str) None
core.securityheaders.validReferrerPolicies = ['no-referrer', 'no-referrer-when-downgrade', 'origin', 'origin-when-cross-origin',...
core.securityheaders.setReferrerPolicy(policy: str)
Parameters:

policy – The referrer policy to send

core.securityheaders._rebuildPermissionHeaderCache() None

Rebuilds the internal conf[“viur.security.permissionsPolicy”][“_headerCache”] string, ie. it constructs the actual header string that’s being emitted to the clients.

core.securityheaders.setPermissionPolicyDirective(directive: str, allowList: List[str] | None) None

Set the permission policy :param: directive the list of allowed origins in :param: allowList. :param directive: The directive to set. Must be one of

Parameters:

allowList – The list of allowed origins. Use “self” to allow the current domain. Empty list means the feature will be disabled by the browser (it’s not accessible by javascript)

core.securityheaders.setCrossOriginIsolation(coep: bool, coop: str, corp: str) None

Configures the cross origin isolation header that ViUR may emit. This is necessary to enable features like SharedArrayBuffer. See https://web.dev/coop-coep for more information. :param coep: If set True, we’ll emit Cross-Origin-Embedder-Policy: require-corp :param coop: The value for the Cross-Origin-Opener-Policy header. Valid values are

same-origin | same-origin-allow-popups | unsafe-none

Parameters:

corp – The value for the Cross-Origin-Resource-Policy header. Valid values are same-site | same-origin | cross-origin