Security Headers — Aquilia Documentation
Comprehensive guide and documentation for Security Headers in the Aquilia framework. View API reference, examples, and implementation patterns.
MIDDLEWARE / SECURITY Security Middleware Suite Aquilia incorporates a production-grade suite of security middlewares covering Content-Security-Policy (CSP), Cross-Site Request Forgery (CSRF), HTTP Strict Transport Security (HSTS), and Helmet-style security headers. CSPMiddleware & CSPPolicy Content-Security-Policy is built using a fluent builder class, CSPPolicy, which is then registered via CSPMiddleware. It generates secure cryptographically random nonces (secrets.token_urlsafe(16)) per-request and injects them to request.state["csp_nonce"]. from aquilia.middleware_ext import CSPMiddleware, CSPPolicy # 1. Build the policy fluently policy = ( CSPPolicy() .default_src("'self'") .script_src("'self'", "'nonce- '", "https://cdn.jsdelivr.net") .style_src("'self'", "'unsafe-inline'") .img_src("'self'", "data:", "https:") ) # 2. Wire into middleware server.middleware(CSPMiddleware(policy=policy, report_only=False)) CSRFMiddleware Defends against Cross-Site Request Forgery. It implements the primary Synchronizer Token Pattern using server-side sessions, falling back to a signed Double Submit Cookie fallback when sessions are disabled. It enforces constant-time string comparisons (secrets.compare_digest) to block timing attack vectors. from aquilia.middleware_ext import CSRFMiddleware server.middleware( CSRFMiddleware( secret_key="my-secure-hmac-key", # Required for cookie fallback integrity cookie_name="_csrf_cookie", header_name="X-CSRF-Token", cookie_secure=True, cookie_httponly=False, # Set False to let JS read it for AJAX exempt_paths=["/api/v1/webhooks"] # Exempt endpoints like Stripe webhook paths ) ) SecurityHeadersMiddleware & HSTS A Helmet-style catch-all security header middleware. It applies standard production defaults to outgoing responses: - X-Content-Type-Options: nosniff (prevents MIME sniffing) - X-Frame-Options: DENY (defends against Clickjacking) - X-XSS-Protection: 1; mode=block (legacy XSS filtering) - Strict-Transport-Security: max-age=31536000 (forces HTTPS connections) from aquilia.middleware_ext import SecurityHeadersMiddleware server.middleware( SecurityHeadersMiddleware( x_content_type_options="nosniff", x_frame_options="DENY", referrer_policy="strict-origin-when-cross-origin" ) ) Rate Limiting Request Scope )
Go to Homepage