From Docs here: https://secure.readthedocs.io/en/latest/headers.html

from secure import SecureHeaders
secure_headers = SecureHeaders(csp=True, hsts=False, xfo="DENY")
. . .
secure_headers.framework(response)

but looks like it changed to:

from secure import Secure

The report-to directive should be taking in a 'group-name' string that references the values inside a separate Report-To header.

It looks like this library needs to be updated to:

1. Clean up report_to because it should not be taking a json object, but rather a string corresponding to the group name

2. Add a Report-To header

Happy to send a PR, just wanted to run this by you guys to check that I'm not mistaken or overlooking something.

This header is currently only supported on Chrome, but it's the future once report-uri gets fully deprecated: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-uri

Correct sample policy:

Report-To: { "group": "csp-endpoint",
             "max_age": 10886400,
             "endpoints": [
               { "url": "https://example.com/csp-reports" }
             ] },
           { "group": "hpkp-endpoint",
             "max_age": 10886400,
             "endpoints": [
               { "url": "https://example.com/hpkp-reports" }
             ] }
Content-Security-Policy: ...; report-to csp-endpoint

Hey,

I'm using Tornado 6.0.3 and apparently I have to use a patch (Morsel._reserved['samesite'] = 'SameSite') but the samesite cookies are not being set. Not sure I've understood how to use secure in my code but this is what I've done.

from http.cookies import Morsel
from secure import SecureHeaders
from secure import SecureCookie

Morsel._reserved['samesite'] = 'SameSite'
SECURE_HEADERS = SecureHeaders()
SECURE_COOKIE = SecureCookie(expires=1, samesite=SecureCookie.SameSite.LAX)

class BaseHandler(tornado.web.RequestHandler):
    """Main class used for general functions applying to entire application. """

    def set_default_headers(self):
        """docstring"""
        SECURE_HEADERS.tornado(self)

    def set_samesite_cookie(self, cookie_name, cookie_value):
        """Sets a samesite cookie"""

        SECURE_COOKIE.tornado(self, name=cookie_name, value=cookie_value)

and then I have used this in another class:

self.set_samesite_cookie("user", user_id)

Any suggestions to why it's not working is appreciated!
Thank you!

The example code for starlette proposes to use the middleware decorator: https://secure.readthedocs.io/en/latest/frameworks.html#starlette

Anyhow, this decorator is deprecated, and will be removed in version 1.0.0 - at least there is a warning about that.

The message is:

[...]/site-packages/starlette/applications.py:248: DeprecationWarning: The `middleware` decorator is deprecated, and will be removed in version 1.0.0. Refer to https://www.starlette.io/middleware/#using-middleware for recommended approach.

It would be good to update the help.

I'm using this now, but would not say that I'm confident this is the correct solution:

class SecureHeadersMiddleware(BaseHTTPMiddleware):
    async def dispatch(self, request, call_next):
        response = await call_next(request)
        secure_headers.framework.starlette(response)
        return response

app.add_middleware(SecureHeadersMiddleware)

Receiving error message on line 87, in cherrypy.

TypeError: tuple_headers() got an unexpected keyword argument 'report_to'

Python Version: Python 3.8.2
SecurePy Version: 0.2.1-py3.8
I installed this to run with SpiderFoot.

The examples of adding a nonce to CSP that I've seen in, e.g., https://csp.withgoogle.com/docs/strict-csp.html#example and https://content-security-policy.com/nonce/ show 'nonce-rAnd0m'.

The CSP3 spec specifies the nonce production as:

; Nonces: 'nonce-[nonce goes here]'
nonce-source  = "'nonce-" [base64-value](https://www.w3.org/TR/CSP3/#grammardef-base64-value) "'"
base64-value  = 1*( [ALPHA](https://tools.ietf.org/html/rfc5234#appendix-B.1) / [DIGIT](https://tools.ietf.org/html/rfc5234#appendix-B.1) / "+" / "/" / "-" / "_" )*2( "=" )

Are the characters < and > even allowed?

Just integrated 'secure' into my flask app, and the documentation has been very useful (thank you!). One adjustment I'd make to the docs, is to mention that leaving a policy empty, like

    secure.PermissionsPolicy()
    .accelerometer()

means it's being disabled.

The main reason I made this issue though, is the missing permission policies.

I don't know whether they are new or not, either way, would be dope to have them added to 'secure' as well.

Apart from the proposed/experimental tabs, the ones I've found are missing are the following ones:

• battery
• cross-origin-isolated
• display-capture
• execution-while-not-rendered
• execution-while-out-of-viewport
• navigation-override
• publickey-credentials-get
• screen-wake-lock
• web-share
• xr-spatial-tracking

And I assume

• Values
• vr

are outdated, since they also throw errors when I attempt to use them?

Hi,

What's the versioning strategy for new releases? I ask as the project appears to use Semantic Versioning, but the latest release 0.3.0 contains breaking changes.

While the report_uri directive is deprecated, currently Report-To header required for report-to directive was removed from spec before it even became a Candidate Recommendation. Instead, current ED of Reporting API has a Reporting-Endpoints header that doesn't use the JSON values like the previous one, instead opting for a simpler groupname="url" syntax (with ability to add multiple comma-separated entries).
Considering that according to caniuse only about 70% of users have support for Report-To header, while over 93% support report-uri directive, for now report-uri seems to be more widely supported and could even live longer than Report-To header.

It can be added as a custom directive, but I think it'd be a good idea to re-add it as a normal directive. report-to CSP directive is still the way to go in the future, but for now it's much less practical due to its companion header not being truly widely supported yet and on its way to be replaced soon.

I am using the following in a FastAPI project

server = secure.Server().set("Secure")

But the result is:

server: uvicorn
server: Secure

ie. it does not override the server header but simply adds another one.