framework and csp documentation updates

cak · cak · commit 35dc516b1f0c · 2024-09-25T05:46:12.000-04:00
- Added documentation for using nonce with strict-dynamic in Content-Security-Policy.
- Updated async frameworks to use async set_headers method.
- Added CherryPy, Masonite, and Responder integration examples to the documentation.
diff --git a/README.md b/README.md
@@ -28,24 +28,24 @@ In today's web landscape, security is paramount. **secure.py** is a lightweight
 
 **secure.py** supports the following Python web frameworks:
 
-| Framework                                     | Documentation                                        |
-| --------------------------------------------- | ---------------------------------------------------- |
-| [aiohttp](https://docs.aiohttp.org)           | [Integration Guide](./docs/frameworks.md#aiohttp)    |
-| [Bottle](https://bottlepy.org)                | [Integration Guide](./docs/frameworks.md#bottle)     |
-| [CherryPy](https://cherrypy.org)              | [Integration Guide](./docs/frameworks.md#cherrypy)   |
-| [Django](https://www.djangoproject.com)       | [Integration Guide](./docs/frameworks.md#django)     |
-| [Falcon](https://falconframework.org)         | [Integration Guide](./docs/frameworks.md#falcon)     |
-| [FastAPI](https://fastapi.tiangolo.com)       | [Integration Guide](./docs/frameworks.md#fastapi)    |
-| [Flask](http://flask.pocoo.org)               | [Integration Guide](./docs/frameworks.md#flask)      |
-| [Masonite](https://docs.masoniteproject.com/) | [Integration Guide](./docs/frameworks.md#masonite)   |
-| [Morepath](https://morepath.readthedocs.io)   | [Integration Guide](./docs/frameworks.md#morepath)   |
-| [Pyramid](https://trypyramid.com)             | [Integration Guide](./docs/frameworks.md#pyramid)    |
-| [Quart](https://pgjones.gitlab.io/quart/)     | [Integration Guide](./docs/frameworks.md#quart)      |
-| [Responder](https://python-responder.org)     | [Integration Guide](./docs/frameworks.md#responder)  |
-| [Sanic](https://sanicframework.org)           | [Integration Guide](./docs/frameworks.md#sanic)      |
-| [Starlette](https://www.starlette.io/)        | [Integration Guide](./docs/frameworks.md#starlette)  |
-| [Tornado](https://www.tornadoweb.org/)        | [Integration Guide](./docs/frameworks.md#tornado)    |
-| [TurboGears](https://turbogears.org/)         | [Integration Guide](./docs/frameworks.md#turbogears) |
+| Framework                                             | Documentation                                        |
+| ----------------------------------------------------- | ---------------------------------------------------- |
+| [aiohttp](https://docs.aiohttp.org)                   | [Integration Guide](./docs/frameworks.md#aiohttp)    |
+| [Bottle](https://bottlepy.org)                        | [Integration Guide](./docs/frameworks.md#bottle)     |
+| [CherryPy](https://cherrypy.dev/)                     | [Integration Guide](./docs/frameworks.md#cherrypy)   |
+| [Django](https://www.djangoproject.com)               | [Integration Guide](./docs/frameworks.md#django)     |
+| [Falcon](https://falconframework.org)                 | [Integration Guide](./docs/frameworks.md#falcon)     |
+| [FastAPI](https://fastapi.tiangolo.com)               | [Integration Guide](./docs/frameworks.md#fastapi)    |
+| [Flask](http://flask.pocoo.org)                       | [Integration Guide](./docs/frameworks.md#flask)      |
+| [Masonite](https://docs.masoniteproject.com/)         | [Integration Guide](./docs/frameworks.md#masonite)   |
+| [Morepath](https://morepath.readthedocs.io)           | [Integration Guide](./docs/frameworks.md#morepath)   |
+| [Pyramid](https://trypyramid.com)                     | [Integration Guide](./docs/frameworks.md#pyramid)    |
+| [Quart](https://quart.palletsprojects.com/en/latest/) | [Integration Guide](./docs/frameworks.md#quart)      |
+| [Responder](https://responder.kennethreitz.org/)      | [Integration Guide](./docs/frameworks.md#responder)  |
+| [Sanic](https://sanicframework.org)                   | [Integration Guide](./docs/frameworks.md#sanic)      |
+| [Starlette](https://www.starlette.io/)                | [Integration Guide](./docs/frameworks.md#starlette)  |
+| [Tornado](https://www.tornadoweb.org/)                | [Integration Guide](./docs/frameworks.md#tornado)    |
+| [TurboGears](https://turbogears.org/)                 | [Integration Guide](./docs/frameworks.md#turbogears) |
 
 ---
 
@@ -236,7 +236,7 @@ secure_headers = Secure.with_default_headers()
 @app.middleware("http")
 async def add_security_headers(request, call_next):
     response = await call_next(request)
-    secure_headers.set_headers(response)
+    await secure_headers.set_headers_async(response)
     return response
 
 
diff --git a/docs/README.md b/docs/README.md
@@ -32,22 +32,24 @@ For detailed configuration options, see the [Configuration Guide](./configuratio
 
 Secure Headers is compatible with many popular Python web frameworks. Below are the integration guides for each supported framework, consolidated in the [Frameworks Integration Guide](./frameworks.md):
 
-| Framework                                   | Documentation                                   |
-| ------------------------------------------- | ----------------------------------------------- |
-| [aiohttp](https://docs.aiohttp.org)         | [Integration Guide](./frameworks.md#aiohttp)    |
-| [Bottle](https://bottlepy.org)              | [Integration Guide](./frameworks.md#bottle)     |
-| [Django](https://www.djangoproject.com)     | [Integration Guide](./frameworks.md#django)     |
-| [Falcon](https://falconframework.org)       | [Integration Guide](./frameworks.md#falcon)     |
-| [FastAPI](https://fastapi.tiangolo.com)     | [Integration Guide](./frameworks.md#fastapi)    |
-| [Flask](https://flask.palletsprojects.com/) | [Integration Guide](./frameworks.md#flask)      |
-| [Pyramid](https://trypyramid.com)           | [Integration Guide](./frameworks.md#pyramid)    |
-| [Quart](https://pgjones.gitlab.io/quart/)   | [Integration Guide](./frameworks.md#quart)      |
-| [Sanic](https://sanicframework.org)         | [Integration Guide](./frameworks.md#sanic)      |
-| [Starlette](https://www.starlette.io/)      | [Integration Guide](./frameworks.md#starlette)  |
-| [Tornado](https://www.tornadoweb.org/)      | [Integration Guide](./frameworks.md#tornado)    |
-| [TurboGears](https://turbogears.org/)       | [Integration Guide](./frameworks.md#turbogears) |
-| [Web2py](http://www.web2py.com/)            | [Integration Guide](./frameworks.md#web2py)     |
-| [Morepath](https://morepath.readthedocs.io) | [Integration Guide](./frameworks.md#morepath)   |
+| Framework                                             | Documentation                                   |
+| ----------------------------------------------------- | ----------------------------------------------- |
+| [aiohttp](https://docs.aiohttp.org)                   | [Integration Guide](./frameworks.md#aiohttp)    |
+| [Bottle](https://bottlepy.org)                        | [Integration Guide](./frameworks.md#bottle)     |
+| [CherryPy](https://cherrypy.dev/)                     | [Integration Guide](./frameworks.md#cherrypy)   |
+| [Django](https://www.djangoproject.com)               | [Integration Guide](./frameworks.md#django)     |
+| [Falcon](https://falconframework.org)                 | [Integration Guide](./frameworks.md#falcon)     |
+| [FastAPI](https://fastapi.tiangolo.com)               | [Integration Guide](./frameworks.md#fastapi)    |
+| [Flask](http://flask.pocoo.org)                       | [Integration Guide](./frameworks.md#flask)      |
+| [Masonite](https://docs.masoniteproject.com/)         | [Integration Guide](./frameworks.md#masonite)   |
+| [Morepath](https://morepath.readthedocs.io)           | [Integration Guide](./frameworks.md#morepath)   |
+| [Pyramid](https://trypyramid.com)                     | [Integration Guide](./frameworks.md#pyramid)    |
+| [Quart](https://quart.palletsprojects.com/en/latest/) | [Integration Guide](./frameworks.md#quart)      |
+| [Responder](https://responder.kennethreitz.org/)      | [Integration Guide](./frameworks.md#responder)  |
+| [Sanic](https://sanicframework.org)                   | [Integration Guide](./frameworks.md#sanic)      |
+| [Starlette](https://www.starlette.io/)                | [Integration Guide](./frameworks.md#starlette)  |
+| [Tornado](https://www.tornadoweb.org/)                | [Integration Guide](./frameworks.md#tornado)    |
+| [TurboGears](https://turbogears.org/)                 | [Integration Guide](./frameworks.md#turbogears) |
 
 If your framework is not listed here, Secure Headers can likely still be integrated. Refer to the [Custom Framework Integration Guide](./frameworks.md#custom-frameworks) for general integration tips.
 
@@ -100,9 +102,6 @@ Secure Headers supports many critical HTTP security headers. Below is a list of
 - [OWASP Secure Headers Project](https://owasp.org/www-project-secure-headers/)  
   Learn about security best practices for HTTP headers from OWASP.
 
-- [Hardenize - HTTP Security Headers](https://www.hardenize.com/blog/https-security-headers)  
-  A guide on the importance of HTTP security headers and how to use them effectively.
-
 - [Mozilla Observatory](https://observatory.mozilla.org/)  
   A security tool to check the implementation of security headers on your site.
 
diff --git a/docs/frameworks.md b/docs/frameworks.md
@@ -6,13 +6,16 @@
 
 - [aiohttp](#aiohttp)
 - [Bottle](#bottle)
+- [CherryPy](#cherrypy)
 - [Django](#django)
 - [Falcon](#falcon)
 - [FastAPI](#fastapi)
 - [Flask](#flask)
+- [Masonite](#masonite)
 - [Morepath](#morepath)
 - [Pyramid](#pyramid)
 - [Quart](#quart)
+- [Responder](#responder)
 - [Sanic](#sanic)
 - [Starlette](#starlette)
 - [Tornado](#tornado)
@@ -41,7 +44,7 @@ async def handle(request):
 @web.middleware
 async def add_security_headers(request, handler):
     response = await handler(request)
-    secure_headers.set_headers(response)
+    await secure_headers.set_headers_async(response)
     return response
 
 
@@ -82,6 +85,32 @@ run(app, host="localhost", port=8080)
 
 ---
 
+## CherryPy
+
+**[CherryPy](https://cherrypy.dev)** is a minimalist, object-oriented web framework that allows developers to build web applications in a way similar to building other Python applications.
+
+```python
+import cherrypy
+
+from secure import Secure
+
+secure_headers = Secure.with_default_headers()
+
+
+class HelloWorld:
+    @cherrypy.expose
+    def index(self):
+        response = b"Hello, world"
+        cherrypy.response.headers.update(secure_headers.headers)
+        return response
+
+
+if __name__ == "__main__":
+    cherrypy.quickstart(HelloWorld())
+```
+
+---
+
 ## Django
 
 **[Django](https://www.djangoproject.com)** is a high-level Python web framework that encourages rapid development and clean, pragmatic design. It's widely used and has a rich ecosystem.
@@ -142,7 +171,7 @@ secure_headers = Secure.with_default_headers()
 @app.middleware("http")
 async def add_security_headers(request, call_next):
     response = await call_next(request)
-    secure_headers.set_headers(response)
+    await secure_headers.set_headers_async(response)
     return response
 
 
@@ -177,6 +206,39 @@ def home():
     return "Hello, world"
 
 
+if __name__ == "__main__":
+    app.run()
+```
+
+---
+
+## Masonite
+
+**[Masonite](https://docs.masoniteproject.com/)** is a modern and developer-friendly Python web framework. It is designed for fast development, easy database management, and an MVC architecture.
+
+```python
+from masonite.foundation import Application
+from masonite.request import Request
+from masonite.response import Response
+
+from secure import Secure
+
+app = Application()
+
+# Configure default secure headers
+secure_headers = Secure.with_default_headers()
+
+
+def add_security_headers(response: Response):
+    secure_headers.set_headers(response)
+    return response
+
+
+@app.route("/")
+def home(request: Request, response: Response):
+    return add_security_headers(response.view("Hello, world"))
+
+
 if __name__ == "__main__":
     app.run()
 ```
@@ -253,7 +315,7 @@ if __name__ == "__main__":
 
 ## Quart
 
-**[Quart](https://pgjones.gitlab.io/quart/)** is an async Python web framework and is a drop-in replacement for Flask, offering the same API but with async capabilities.
+**[Quart](https://quart.palletsprojects.com/en/latest/)** is an async Python web framework and is a drop-in replacement for Flask, offering the same API but with async capabilities.
 
 ```python
 from quart import Quart, Response
@@ -266,7 +328,7 @@ secure_headers = Secure.with_default_headers()
 
 @app.after_request
 async def add_security_headers(response: Response):
-    secure_headers.set_headers(response)
+    await secure_headers.set_headers_async(response)
     return response
 
 
@@ -280,6 +342,31 @@ app.run()
 
 ---
 
+## Responder
+
+**[Responder](https://responder.kennethreitz.org)** is a web framework for quickly building APIs. It combines speed and developer-friendly features with the power of Starlette and ASGI.
+
+```python
+import responder
+
+from secure import Secure
+
+api = responder.API()
+secure_headers = Secure.with_default_headers()
+
+
+@api.route("/")
+async def home(req, resp):
+    resp.text = "Hello, world"
+    await secure_headers.set_headers_async(resp)
+
+
+if __name__ == "__main__":
+    api.run()
+```
+
+---
+
 ## Sanic
 
 **[Sanic](https://sanicframework.org)** is a Python 3.7+ web server and web framework that's written to go fast. It allows for the handling of asynchronous requests.
@@ -330,7 +417,7 @@ async def homepage(request):
 class SecurityHeadersMiddleware(BaseHTTPMiddleware):
     async def dispatch(self, request, call_next):
         response = await call_next(request)
-        secure_headers.set_headers(response)
+        await secure_headers.set_headers_async(response)
         return response
 
 
diff --git a/docs/headers/content_security_policy.md b/docs/headers/content_security_policy.md
@@ -54,6 +54,110 @@ This can then be applied as part of your Secure headers configuration.
 secure_headers = Secure(csp=csp)
 ```
 
+## Using Nonce and `strict-dynamic` in Content-Security-Policy
+
+Content Security Policy (CSP) allows you to enhance the security of your web application by specifying the allowed sources of content. Using a nonce with the `strict-dynamic` directive improves protection against Cross-Site Scripting (XSS) attacks by dynamically allowing only scripts that are explicitly marked with a nonce. This is especially useful when you want to allow some inline scripts while ensuring only those scripts and their dynamically loaded dependencies are executed.
+
+### Example: Using Nonce with `strict-dynamic`
+
+Here’s how to set a CSP with a nonce and `strict-dynamic` using `secure.py`:
+
+```python
+import uuid
+
+from flask import Flask, Response
+
+from secure import ContentSecurityPolicy, Secure
+
+app = Flask(__name__)
+
+
+def generate_nonce():
+    # Create a unique nonce for each request
+    return uuid.uuid4().hex
+
+
+secure_headers = Secure(
+    csp=ContentSecurityPolicy()
+    .default_src("'self'")
+    .script_src(ContentSecurityPolicy().nonce(generate_nonce()), "'strict-dynamic'")
+    .style_src("'self'")
+    .object_src("'none'")
+)
+
+
+@app.after_request
+def add_security_headers(response: Response):
+    # Apply the security headers with a new nonce for each response
+    nonce = generate_nonce()
+    secure_headers.set_headers(response)
+    # Ensure the nonce is passed in the CSP for inline scripts
+    response.headers["Content-Security-Policy"] = response.headers[
+        "Content-Security-Policy"
+    ].replace("'nonce-'", f"'nonce-{nonce}'")
+    return response
+
+
+@app.route("/")
+def home():
+    # Example HTML with an inline script using the nonce
+    nonce = generate_nonce()
+    html = f"""
+    <html>
+    <head>
+      <title>Secure.py with CSP</title>
+      <script nonce='{nonce}'>
+        console.log('This script is allowed because it has a nonce!');
+      </script>
+    </head>
+    <body>
+      Hello, world!
+    </body>
+    </html>
+    """
+    return Response(html, content_type="text/html")
+
+
+if __name__ == "__main__":
+    app.run()
+```
+
+### Example Output Headers
+
+This example sets the following HTTP headers on the response:
+
+```http
+Content-Security-Policy: default-src 'self'; script-src 'nonce-<generated-nonce>' 'strict-dynamic'; style-src 'self'; object-src 'none'
+```
+
+```html
+<html>
+  <head>
+    <title>Secure.py with CSP</title>
+    <script nonce="<generated-nonce>">
+      console.log("This script is allowed because it has a nonce!");
+    </script>
+  </head>
+  <body>
+    Hello, world!
+  </body>
+</html>
+```
+
+- **`default-src 'self'`**: Only content from the same origin is allowed by default.
+- **`script-src 'nonce-<generated-nonce>' 'strict-dynamic'`**: Only scripts with the nonce or dynamically loaded by trusted scripts are allowed.
+- **`style-src 'self'`**: Only CSS from the same origin is allowed.
+- **`object-src 'none'`**: The `<object>` element is disabled for additional security.
+
+### Why Use `strict-dynamic`?
+
+The `strict-dynamic` directive allows the CSP to trust dynamically created scripts as long as they are loaded by scripts with a nonce or from a trusted source. This reduces the need to explicitly list external sources in the CSP, improving security by ensuring only scripts with a nonce or trusted dynamic scripts are executed.
+
+For more details on `Content-Security-Policy` and the `nonce` attribute, refer to the following resources:
+
+- [MDN Web Docs: Content-Security-Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy)
+- [OWASP Secure Headers Project: Content-Security-Policy](https://owasp.org/www-project-secure-headers/#content-security-policy)
+
 ## **Attribution**
 
 This library implements security recommendations from trusted sources:
