apifrom.security.csp ==================== Content Security Policy (CSP) middleware for APIFromAnything. This module provides middleware for adding Content Security Policy headers to API responses. .. py:currentmodule:: apifrom.security.csp Overview -------- **Classes** * :py:class:`BaseMiddleware` * :py:class:`CSPBuilder` * :py:class:`CSPDirective` * :py:class:`CSPMiddleware` * :py:class:`CSPNonce` * :py:class:`CSPPolicy` * :py:class:`CSPSource` * :py:class:`CSPViolationReporter` * :py:class:`Request` * :py:class:`Response` Classes ------- .. py:class:: BaseMiddleware(**options):bases: abc.ABC Base middleware class for APIFromAnything. This abstract class defines the interface for middleware components. Middleware components can process requests and responses. .. attribute:: options Options for the middleware. :type: dict Initialize a new BaseMiddleware instance. :param \*\*options: Options for the middleware. .. py:class:: CSPBuilder Helper class for building CSP policies. .. method:: create_api_policy() :staticmethod: Create a CSP policy suitable for APIs. :returns: A CSP policy for APIs .. method:: create_report_only_policy(report_uri) :staticmethod: Create a report-only CSP policy. :param report_uri: The URI to send violation reports to :returns: A report-only CSP policy .. method:: create_strict_policy() :staticmethod: Create a strict CSP policy. :returns: A strict CSP policy .. method:: create_web_policy() :staticmethod: Create a CSP policy suitable for web applications. :returns: A CSP policy for web applications .. py:class:: CSPDirective Content Security Policy directive constants. .. :: BASE_URI .. :: BLOCK_ALL_MIXED_CONTENT .. :: CONNECT_SRC .. :: DEFAULT_SRC .. :: FONT_SRC .. :: FORM_ACTION .. :: FRAME_ANCESTORS .. :: FRAME_SRC .. :: IMG_SRC .. :: MANIFEST_SRC .. :: MEDIA_SRC .. :: NAVIGATE_TO .. :: OBJECT_SRC .. :: PREFETCH_SRC .. :: REPORT_TO .. :: REPORT_URI .. :: REQUIRE_TRUSTED_TYPES_FOR .. :: SANDBOX .. :: SCRIPT_SRC .. :: STYLE_SRC .. :: TRUSTED_TYPES .. :: UPGRADE_INSECURE_REQUESTS .. :: WORKER_SRC .. py:class:: CSPMiddleware(policy = None, exempt_paths = None, exempt_path_regex = None):bases: apifrom.middleware.base.BaseMiddleware Middleware for adding Content Security Policy headers to responses. Initialize the CSP middleware. :param policy: The CSP policy to apply :param exempt_paths: List of paths to exempt from CSP :param exempt_path_regex: Regex pattern for paths to exempt from CSP .. :: exempt_path_pattern .. :: exempt_path_regex .. :: exempt_paths .. :: policy .. method:: _create_default_policy() Create a default CSP policy. :returns: A default CSP policy .. method:: _is_path_exempt(path) Check if a path is exempt from CSP. :param path: The request path :returns: True if the path is exempt, False otherwise .. method:: process_request(request) :async: Process the request. :param request: The request object :returns: The processed request .. method:: process_response(response) :async: Process the response and add CSP headers. :param response: The response object :returns: The response with CSP headers .. py:class:: CSPNonce Content Security Policy nonce generator. .. method:: generate() :staticmethod: Generate a random nonce for CSP. :returns: A random nonce string .. py:class:: CSPPolicy(report_only = False) Content Security Policy builder. Initialize the CSP policy. :param report_only: Whether to use the report-only mode .. :: directives :annotation: Dict[str, Set[str]] .. :: report_only .. :: reporter :annotation: Optional[CSPViolationReporter] .. method:: add_base_uri(source) Add base-uri directive. :param source: The source value(s) :returns: The CSP policy instance for chaining .. method:: add_block_all_mixed_content() Add block-all-mixed-content directive. :returns: The CSP policy instance for chaining .. method:: add_connect_src(source) Add connect-src directive. :param source: The source value(s) :returns: The CSP policy instance for chaining .. method:: add_default_src(source) Add default-src directive. :param source: The source value(s) :returns: The CSP policy instance for chaining .. method:: add_directive(directive, source) Add a directive to the policy. :param directive: The directive name :param source: The source value(s) :returns: The CSP policy instance for chaining .. method:: add_font_src(source) Add font-src directive. :param source: The source value(s) :returns: The CSP policy instance for chaining .. method:: add_form_action(source) Add form-action directive. :param source: The source value(s) :returns: The CSP policy instance for chaining .. method:: add_frame_ancestors(source) Add frame-ancestors directive. :param source: The source value(s) :returns: The CSP policy instance for chaining .. method:: add_frame_src(source) Add frame-src directive. :param source: The source value(s) :returns: The CSP policy instance for chaining .. method:: add_img_src(source) Add img-src directive. :param source: The source value(s) :returns: The CSP policy instance for chaining .. method:: add_manifest_src(source) Add manifest-src directive. :param source: The source value(s) :returns: The CSP policy instance for chaining .. method:: add_media_src(source) Add media-src directive. :param source: The source value(s) :returns: The CSP policy instance for chaining .. method:: add_navigate_to(source) Add navigate-to directive. :param source: The source value(s) :returns: The CSP policy instance for chaining .. method:: add_object_src(source) Add object-src directive. :param source: The source value(s) :returns: The CSP policy instance for chaining .. method:: add_prefetch_src(source) Add prefetch-src directive. :param source: The source value(s) :returns: The CSP policy instance for chaining .. method:: add_require_trusted_types_for(value = 'script') Add require-trusted-types-for directive. :param value: The value for the directive :returns: The CSP policy instance for chaining .. method:: add_sandbox(value) Add sandbox directive. :param value: The sandbox value(s) :returns: The CSP policy instance for chaining .. method:: add_script_src(source) Add script-src directive. :param source: The source value(s) :returns: The CSP policy instance for chaining .. method:: add_style_src(source) Add style-src directive. :param source: The source value(s) :returns: The CSP policy instance for chaining .. method:: add_trusted_types(value) Add trusted-types directive. :param value: The trusted types value(s) :returns: The CSP policy instance for chaining .. method:: add_upgrade_insecure_requests() Add upgrade-insecure-requests directive. :returns: The CSP policy instance for chaining .. method:: add_worker_src(source) Add worker-src directive. :param source: The source value(s) :returns: The CSP policy instance for chaining .. method:: get_header_name() Get the appropriate header name based on the policy mode. :returns: The CSP header name .. method:: set_reporter(reporter) Set the violation reporter. :param reporter: The violation reporter :returns: The CSP policy instance for chaining .. method:: to_header() Convert the policy to a header value. :returns: The CSP header value .. method:: to_header_value() Convert the policy to a header value. This is an alias for to_header() for backward compatibility. :returns: The CSP header value .. py:class:: CSPSource Content Security Policy source constants. .. :: BLOB .. :: DATA .. :: FILESYSTEM .. :: HTTPS .. :: MEDIASTREAM .. :: NONE .. :: REPORT_SAMPLE .. :: SELF .. :: STRICT_DYNAMIC .. :: UNSAFE_EVAL .. :: UNSAFE_HASHES .. :: UNSAFE_INLINE .. :: WS .. :: WSS .. py:class:: CSPViolationReporter(report_uri = None, report_to = None, callback = None) Content Security Policy violation reporter. Initialize the CSP violation reporter. :param report_uri: The URI to send violation reports to :param report_to: The reporting group to send violation reports to :param callback: A callback function to handle violation reports .. :: callback .. :: report_to .. :: report_uri .. method:: get_directives() Get the reporting directives. :returns: A dictionary of reporting directives .. method:: handle_report(report) :async: Handle a CSP violation report. :param report: The violation report .. py:class:: Request(request = None, path_params = None, method = None, path = None, query_params = None, headers = None, body = None, client_ip = None) Request class for APIFromAnything. This class wraps a Starlette request and provides methods for accessing request data in a convenient way. .. attribute:: _request The underlying Starlette request. .. attribute:: path_params Path parameters extracted from the URL. .. attribute:: query_params Query parameters extracted from the URL. .. attribute:: headers HTTP headers. .. attribute:: method HTTP method. .. attribute:: path Request path. .. attribute:: _body Cached request body. Initialize a new Request instance. :param request: The underlying Starlette request. :param path_params: Path parameters extracted from the URL. :param method: The HTTP method. :param path: The request path. :param query_params: Query parameters. :param headers: HTTP headers. :param body: Request body. :param client_ip: Client IP address. .. py:class:: Response(content = None, status_code = 200, headers = None, content_type = 'application/json') Response class for APIFromAnything. This class represents an HTTP response and provides methods for setting response data, status code, and headers. .. attribute:: content The response content. .. attribute:: status_code The HTTP status code. .. attribute:: headers HTTP headers. .. attribute:: content_type The content type of the response. Initialize a new Response instance. :param content: The response content. :param status_code: The HTTP status code. :param headers: HTTP headers. :param content_type: The content type of the response.