Security

Added in v1.3.0.

`CspGenerator`

A utility class to generate a CSP.

Examples

from tna_utilities.security import CspGenerator

generator = CspGenerator()

# Add a single directive source (plus 'self')
generator.script_src("example.com")

# Add multiple sources for a directive (plus 'self')
generator.style_src("example.com", "another.net")

# Add a directive source without allowing 'self'
generator.object_src("example.com", omit_self=True)

# Disallow a directive
generator.disallow("worker-src")

generator.get_csp()
# default-src 'self'; script-src 'self' example.com; style-src 'self' example.com another.net; object-src example.com; worker-src 'none';

`security_headers`

Get a dictionary of common security headers.

Arguments

Argument	Description	Default
`x_frame_options`	The option for the `X-Frame-Options` header	`DENY`
`x_permitted_cross_domain_policies`	The option for the `X-Permitted-Cross-Domain-Policies` header	`none`
`cross_origin_embedder_policy`	The option for the `Cross-Origin-Embedder-Policy` header	`unsafe-none`
`cross_origin_opener_policy`	The option for the `Cross-Origin-Opener-Policy` header	`same-origin`
`cross_origin_resource_policy`	The option for the `Cross-Origin-Resource-Policy` header	`same-origin`

Example

from tna_utilities.security import security_headers

print(security_headers())
# {
#   "X-Frame-Options": "DENY",
#   "X-Permitted-Cross-Domain-Policies": "none",
#   "Cross-Origin-Embedder-Policy": "unsafe-none",
#   "Cross-Origin-Opener-Policy": "same-origin",
#   "Cross-Origin-Resource-Policy": "same-origin",
# }