# bacinet
Helmet-like http response Headers for FastAPI.
_This is alpha software lacking testing and proper documentation. Use at your own risk!_
## Basic usage
Install package via `pip install bacinet`.
In your code, import apply from the package and add it as a middleware to your app:
```python
from bacinet import apply
from fastapi import FastAPI, Request
app = FastAPI()
@app.middleware("http")
async def add_bacinet(request: Request, call_next):
response = await call_next(request)
apply(response.headers)
return response
```
Alternatively, you can use an ASGI-conformant Middlware:
```python
from bacinet import BacinetMiddleware
app = FastAPI()
app.add_middleware(BacinetMiddleware)
```
To change the default options, import and change the options dictionary from bacinet:
```python
from bacinet import options
options["X-DNS-Prefetch-Control"] = "on"
```
You can also import individual header functions (like `x_download_options`) and apply those on your own applicator function that can be provided to BacinetMiddleware's constructor.
## Headers
In it's standard form, the following headers will be set or removed by the middleware:
| Header | Default | Description |
| :-------------------------------- | :---------------------------------: | :------------------------------------------------------------------------------------- |
| Origin-Agent-Cluster | `?1` | https://github.com/WICG/origin-agent-cluster |
| X-Content-Type-Options | `nosniff` | Prevents MIME type sniffing attacks |
| X-XSS-Protection | `1` | Enables XSS filtering and page sanitation in the browser |
| X-Powered-By | _removed_ | Header gets removed to hinder server identification |
| X-Download-Options | `noopen` | Prevent automated opening of downloads in legacy browsers |
| X-DNS-Prefetch-Control | `off` | Prevents general DNS prefetching for links |
| Cross-Origin-Resource-Policy | `same-origin` | disallow cross-origin no-cors requests |
| X-Frame-Options | `DENY` | Deny embedding in other sited |
| Cross-Origin-Opener-Policy | `same-origin` | Deny sharing browsing context with cross-origin documents |
| X-Permitted-Cross-Domain-Policies | `none` | Disallow document embedding of the resource |
| Cross-Origin-Embedder-Policy | `require-corp` | https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Embedder-Policy |
| Referrer-Policy | `no-referrer` | Do not send referrer headers |
| Content-Security-Policy | see below | Restrict resource access |
| Strict-Transport-Security | `maxAge=15552000;includeSubDomains` | Make sure that the site is only accessed via https |
### Default content-security policies
The following content-security policies are applied in the default setting:
- `default-src 'self';base-uri 'self'`
- `font-src 'self' https: data:`
- `form-action 'self'`
- `frame-ancestors 'self'`
- `img-src 'self' data:`
- `object-src 'none'`
- `script-src 'self'`
- `script-src-attr 'none'`
- `style-src 'self' https: 'unsafe-inline'`
- `upgrade-insecure-requests`
Raw data
{
"_id": null,
"home_page": "https://github.com/hbel/bacinet",
"name": "bacinet",
"maintainer": "",
"docs_url": null,
"requires_python": ">=3.9",
"maintainer_email": "",
"keywords": "FastAPI headers http",
"author": "Hendrik Belitz",
"author_email": "hendrik@hendrikbelitz.de",
"download_url": "https://files.pythonhosted.org/packages/a7/0b/fd0ba4d7fdd82119d09b8c556b113b4823738e6128c43f948d3a6660c36d/bacinet-0.0.6.tar.gz",
"platform": null,
"description": "# bacinet\n\nHelmet-like http response Headers for FastAPI.\n\n_This is alpha software lacking testing and proper documentation. Use at your own risk!_\n\n## Basic usage\n\nInstall package via `pip install bacinet`.\n\nIn your code, import apply from the package and add it as a middleware to your app:\n\n```python\nfrom bacinet import apply\nfrom fastapi import FastAPI, Request\n\napp = FastAPI()\n\n\n@app.middleware(\"http\")\nasync def add_bacinet(request: Request, call_next):\n response = await call_next(request)\n apply(response.headers)\n return response\n```\n\nAlternatively, you can use an ASGI-conformant Middlware:\n\n```python\nfrom bacinet import BacinetMiddleware\n\n\napp = FastAPI()\n\n\napp.add_middleware(BacinetMiddleware)\n\n```\n\nTo change the default options, import and change the options dictionary from bacinet:\n\n```python\nfrom bacinet import options\n\noptions[\"X-DNS-Prefetch-Control\"] = \"on\"\n```\n\nYou can also import individual header functions (like `x_download_options`) and apply those on your own applicator function that can be provided to BacinetMiddleware's constructor.\n\n## Headers\n\nIn it's standard form, the following headers will be set or removed by the middleware:\n\n| Header | Default | Description |\n| :-------------------------------- | :---------------------------------: | :------------------------------------------------------------------------------------- |\n| Origin-Agent-Cluster | `?1` | https://github.com/WICG/origin-agent-cluster |\n| X-Content-Type-Options | `nosniff` | Prevents MIME type sniffing attacks |\n| X-XSS-Protection | `1` | Enables XSS filtering and page sanitation in the browser |\n| X-Powered-By | _removed_ | Header gets removed to hinder server identification |\n| X-Download-Options | `noopen` | Prevent automated opening of downloads in legacy browsers |\n| X-DNS-Prefetch-Control | `off` | Prevents general DNS prefetching for links |\n| Cross-Origin-Resource-Policy | `same-origin` | disallow cross-origin no-cors requests |\n| X-Frame-Options | `DENY` | Deny embedding in other sited |\n| Cross-Origin-Opener-Policy | `same-origin` | Deny sharing browsing context with cross-origin documents |\n| X-Permitted-Cross-Domain-Policies | `none` | Disallow document embedding of the resource |\n| Cross-Origin-Embedder-Policy | `require-corp` | https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Embedder-Policy |\n| Referrer-Policy | `no-referrer` | Do not send referrer headers |\n| Content-Security-Policy | see below | Restrict resource access |\n| Strict-Transport-Security | `maxAge=15552000;includeSubDomains` | Make sure that the site is only accessed via https |\n\n### Default content-security policies\n\nThe following content-security policies are applied in the default setting:\n\n- `default-src 'self';base-uri 'self'`\n- `font-src 'self' https: data:`\n- `form-action 'self'`\n- `frame-ancestors 'self'`\n- `img-src 'self' data:`\n- `object-src 'none'`\n- `script-src 'self'`\n- `script-src-attr 'none'`\n- `style-src 'self' https: 'unsafe-inline'`\n- `upgrade-insecure-requests`\n",
"bugtrack_url": null,
"license": "",
"summary": "Setting up security-relevant response headers in FastAPI",
"version": "0.0.6",
"project_urls": {
"Homepage": "https://github.com/hbel/bacinet"
},
"split_keywords": [
"fastapi",
"headers",
"http"
],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "a70bfd0ba4d7fdd82119d09b8c556b113b4823738e6128c43f948d3a6660c36d",
"md5": "9b2eb184d42121ddd265067e641bb06a",
"sha256": "6ead69ed77351731aab04b1feb9e36eb6f731e2d3dd62e4912320c2e4ad8dde8"
},
"downloads": -1,
"filename": "bacinet-0.0.6.tar.gz",
"has_sig": false,
"md5_digest": "9b2eb184d42121ddd265067e641bb06a",
"packagetype": "sdist",
"python_version": "source",
"requires_python": ">=3.9",
"size": 6105,
"upload_time": "2023-11-07T13:37:33",
"upload_time_iso_8601": "2023-11-07T13:37:33.978399Z",
"url": "https://files.pythonhosted.org/packages/a7/0b/fd0ba4d7fdd82119d09b8c556b113b4823738e6128c43f948d3a6660c36d/bacinet-0.0.6.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2023-11-07 13:37:33",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "hbel",
"github_project": "bacinet",
"travis_ci": false,
"coveralls": false,
"github_actions": false,
"requirements": [],
"lcname": "bacinet"
}
JSON
