DEV Community

Cover image for Introducing Secweb security headers for FastAPI and Starlette frameworks
tmotagam
tmotagam

Posted on • Edited on

Introducing Secweb security headers for FastAPI and Starlette frameworks

#fastapi #python #security #webdev

UPDATE

Secweb now supports CSP report-only header, Removed the Expect-CT header, added Clear-Site-Data and Cache-Control headers, added an easier way to write headers, and added types for improved developer experience.

What is Secweb?

Secweb is a library of middlewares that helps you in setting security headers in FastAPI and Starlette frameworks. It uses ASGI Middleware implementation which improves performance and has very little overhead. Implements recommendations from MDN and OWASP. This allows the library to stay up to date with all the newer standards and best practices.

Why Use Secweb?

Secweb makes it easy to add security headers or to change the parameters of those headers without you having to get your hands into the intricacies of the Starlette framework so you can write your business logic without any worries and it also secures all of your APIs.

How to Use Secweb

First we will install the library using the pip command. You can use any package manager you like, e.g., poetry, conda, pipenv, etc.

pip install Secweb
Enter fullscreen mode Exit fullscreen mode

Now you can import it into any of your existing or new FastAPI or Starlette projects. For this blog, I am creating a new dummy FastAPI project.

Example:

from fastapi import FastAPI
from Secweb import SecWeb

app = FastAPI()
SecWeb(app=app)

@app.get("/")
async def root():
    return {"message": 'Hello World'}
Enter fullscreen mode Exit fullscreen mode

Now your API is secured by Secweb. It is this easy to add Secweb to your projects. All the important headers are activated by default (e.g., Content Security Policy (CSP), Strict Transport Security (HSTS), etc.). If you want you can even change all the parameters of those headers according to your needs. Don't worry—all the other headers are also activated with their default settings so that you don't unnecessarily increase security risk of your APIs.

Example:

from fastapi import FastAPI
from Secweb import SecWeb

app = FastAPI()
SecWeb(app=app, Option={'hsts': {'max-age': 432000, 'preload': False}})

@app.get("/")
async def root():
    return {"message": 'Hello World'}
Enter fullscreen mode Exit fullscreen mode

All the headers are also available as standalone in the library for you to use. Remember that using only the standalone headers will only activate those headers, others will remain deactivated.

Example:

from fastapi import FastAPI
from Secweb.ContentSecurityPolicy import ContentSecurityPolicy

app = FastAPI()
app.add_middleware(ContentSecurityPolicy, Option={'default-src': ["'self'"], 'style-src': ["'self'"]})
# report-only mode
# app.add_middleware(ContentSecurityPolicy, Option={'default-src': ["'self'"], 'style-src': ["'self'"]}, report_only=True)

@app.get("/")
async def root():
    return {"message": 'Hello World'}
Enter fullscreen mode Exit fullscreen mode

For more information on all the headers provided by the Secweb library you can go to GitHub to read the detailed documentation.

Hope this helps you in your projects 👋 Bye.

Top comments (1)

Collapse
 
tmotagam profile image
tmotagam

Thanks for reading! 🚀

If you're using FastAPI, what's your current go-to way to handle security headers (CSP, HSTS, etc.)? Have you tried any other middleware, or is this something you've been looking for?

Drop your thoughts or questions below — happy to answer! 👇