apifrom.security.csp

Content Security Policy (CSP) middleware for APIFromAnything.

This module provides middleware for adding Content Security Policy headers to API responses.

Overview

Classes

BaseMiddleware
CSPBuilder
CSPDirective
CSPMiddleware
CSPNonce
CSPPolicy
CSPSource
CSPViolationReporter
Request
Response

Classes

BaseMiddleware(**options):bases: abc.ABC

Base middleware class for APIFromAnything.

This abstract class defines the interface for middleware components. Middleware components can process requests and responses.

apifrom.security.csp.options

Options for the middleware.

Type:

dict

Initialize a new BaseMiddleware instance.

param **options:

Options for the middleware.

class apifrom.security.csp.CSPBuilder[source]

Helper class for building CSP policies.

apifrom.security.csp.create_api_policy()

:staticmethod:

Create a CSP policy suitable for APIs.

returns:

A CSP policy for APIs

apifrom.security.csp.create_report_only_policy(report_uri)

:staticmethod:

Create a report-only CSP policy.

param report_uri:

The URI to send violation reports to

returns:

A report-only CSP policy

apifrom.security.csp.create_strict_policy()

:staticmethod:

Create a strict CSP policy.

returns:

A strict CSP policy

apifrom.security.csp.create_web_policy()

:staticmethod:

Create a CSP policy suitable for web applications.

returns:

A CSP policy for web applications

class apifrom.security.csp.CSPDirective[source]

Content Security Policy directive constants.

CSPMiddleware(policy = None, exempt_paths = None, exempt_path_regex = None):bases: apifrom.middleware.base.BaseMiddleware

Middleware for adding Content Security Policy headers to responses.

Initialize the CSP middleware.

param policy:

The CSP policy to apply

param exempt_paths:

List of paths to exempt from CSP

param exempt_path_regex:

Regex pattern for paths to exempt from CSP

apifrom.security.csp._create_default_policy()

Create a default CSP policy.

returns:

A default CSP policy

apifrom.security.csp._is_path_exempt(path)

Check if a path is exempt from CSP.

param path:

The request path

returns:

True if the path is exempt, False otherwise

apifrom.security.csp.process_request(request)

:async:

Process the request.

param request:

The request object

returns:

The processed request

apifrom.security.csp.process_response(response)

:async:

Process the response and add CSP headers.

param response:

The response object

returns:

The response with CSP headers

class apifrom.security.csp.CSPNonce[source]

Content Security Policy nonce generator.

apifrom.security.csp.generate()

:staticmethod:

Generate a random nonce for CSP.

returns:

A random nonce string

class apifrom.security.csp.CSPPolicy(report_only=False)[source]

Parameters:: report_only (bool)

Content Security Policy builder.

Initialize the CSP policy.

param report_only:

Whether to use the report-only mode

apifrom.security.csp.add_base_uri(source)

Add base-uri directive.

param source:

The source value(s)

returns:

The CSP policy instance for chaining

apifrom.security.csp.add_block_all_mixed_content()

Add block-all-mixed-content directive.

returns:

The CSP policy instance for chaining

apifrom.security.csp.add_connect_src(source)

Add connect-src directive.

param source:

The source value(s)

returns:

The CSP policy instance for chaining

apifrom.security.csp.add_default_src(source)

Add default-src directive.

param source:

The source value(s)

returns:

The CSP policy instance for chaining

apifrom.security.csp.add_directive(directive, source)

Add a directive to the policy.

param directive:

The directive name

param source:

The source value(s)

returns:

The CSP policy instance for chaining

apifrom.security.csp.add_font_src(source)

Add font-src directive.

param source:

The source value(s)

returns:

The CSP policy instance for chaining

apifrom.security.csp.add_form_action(source)

Add form-action directive.

param source:

The source value(s)

returns:

The CSP policy instance for chaining

apifrom.security.csp.add_frame_ancestors(source)

Add frame-ancestors directive.

param source:

The source value(s)

returns:

The CSP policy instance for chaining

apifrom.security.csp.add_frame_src(source)

Add frame-src directive.

param source:

The source value(s)

returns:

The CSP policy instance for chaining

apifrom.security.csp.add_img_src(source)

Add img-src directive.

param source:

The source value(s)

returns:

The CSP policy instance for chaining

apifrom.security.csp.add_manifest_src(source)

Add manifest-src directive.

param source:

The source value(s)

returns:

The CSP policy instance for chaining

apifrom.security.csp.add_media_src(source)

Add media-src directive.

param source:

The source value(s)

returns:

The CSP policy instance for chaining

apifrom.security.csp.add_navigate_to(source)

Add navigate-to directive.

param source:

The source value(s)

returns:

The CSP policy instance for chaining

apifrom.security.csp.add_object_src(source)

Add object-src directive.

param source:

The source value(s)

returns:

The CSP policy instance for chaining

apifrom.security.csp.add_prefetch_src(source)

Add prefetch-src directive.

param source:

The source value(s)

returns:

The CSP policy instance for chaining

apifrom.security.csp.add_require_trusted_types_for(value='script')

Add require-trusted-types-for directive.

param value:

The value for the directive

returns:

The CSP policy instance for chaining

apifrom.security.csp.add_sandbox(value)

Add sandbox directive.

param value:

The sandbox value(s)

returns:

The CSP policy instance for chaining

apifrom.security.csp.add_script_src(source)

Add script-src directive.

param source:

The source value(s)

returns:

The CSP policy instance for chaining

apifrom.security.csp.add_style_src(source)

Add style-src directive.

param source:

The source value(s)

returns:

The CSP policy instance for chaining

apifrom.security.csp.add_trusted_types(value)

Add trusted-types directive.

param value:

The trusted types value(s)

returns:

The CSP policy instance for chaining

apifrom.security.csp.add_upgrade_insecure_requests()

Add upgrade-insecure-requests directive.

returns:

The CSP policy instance for chaining

apifrom.security.csp.add_worker_src(source)

Add worker-src directive.

param source:

The source value(s)

returns:

The CSP policy instance for chaining

apifrom.security.csp.get_header_name()

Get the appropriate header name based on the policy mode.

returns:

The CSP header name

apifrom.security.csp.set_reporter(reporter)

Set the violation reporter.

param reporter:

The violation reporter

returns:

The CSP policy instance for chaining

apifrom.security.csp.to_header()

Convert the policy to a header value.

returns:

The CSP header value

apifrom.security.csp.to_header_value()

Convert the policy to a header value.

This is an alias for to_header() for backward compatibility.

returns:

The CSP header value

class apifrom.security.csp.CSPSource[source]

Content Security Policy source constants.

class apifrom.security.csp.CSPViolationReporter(report_uri=None, report_to=None, callback=None)[source]

Parameters:

report_uri (Optional[str])
report_to (Optional[str])
callback (Optional[Callable[[Dict[str, Any]], None]])

Content Security Policy violation reporter.

Initialize the CSP violation reporter.

param report_uri:

The URI to send violation reports to

param report_to:

The reporting group to send violation reports to

param callback:

A callback function to handle violation reports

apifrom.security.csp.get_directives()

Get the reporting directives.

returns:

A dictionary of reporting directives

apifrom.security.csp.handle_report(report)

:async:

Handle a CSP violation report.

param report:

The violation report

class apifrom.security.csp.Request(request=None, path_params=None, method=None, path=None, query_params=None, headers=None, body=None, client_ip=None)[source]

Parameters:

request (Optional[starlette.requests.Request])
path_params (Optional[dict[Any, Any]])
method (Optional[str])
path (Optional[str])
query_params (Optional[dict[Any, Any]])
headers (Optional[dict[Any, Any]])
body (Optional[Union[str, bytes]])
client_ip (Optional[str])

Request class for APIFromAnything.

This class wraps a Starlette request and provides methods for accessing request data in a convenient way.

apifrom.security.csp._request

The underlying Starlette request.

apifrom.security.csp.path_params

Path parameters extracted from the URL.

apifrom.security.csp.query_params

Query parameters extracted from the URL.

apifrom.security.csp.headers

HTTP headers.

apifrom.security.csp.method

HTTP method.

apifrom.security.csp.path

Request path.

apifrom.security.csp._body

Cached request body.

Initialize a new Request instance.

param request:

The underlying Starlette request.

param path_params:

Path parameters extracted from the URL.

param method:

The HTTP method.

param path:

The request path.

param query_params:

Query parameters.

param headers:

HTTP headers.

param body:

Request body.

param client_ip:

Client IP address.

class apifrom.security.csp.Response(content=None, status_code=200, headers=None, content_type='application/json')[source]

Parameters:

content (Any)
status_code (int)
headers (Optional[Dict[str, str]])
content_type (str)

Response class for APIFromAnything.

This class represents an HTTP response and provides methods for setting response data, status code, and headers.

apifrom.security.csp.content

The response content.

apifrom.security.csp.status_code

The HTTP status code.

apifrom.security.csp.headers

HTTP headers.

apifrom.security.csp.content_type

The content type of the response.

Initialize a new Response instance.

param content:

The response content.

param status_code:

The HTTP status code.

param headers:

HTTP headers.

param content_type:

The content type of the response.