Helmet-like http response Headers for FastAPI.
This is alpha software lacking testing and proper documentation. Use at your own risk!
Install package via pip install bacinet.
In your code, import apply from the package and add it as a middleware to your app:
from bacinet import apply
from fastapi import FastAPI, Request
app = FastAPI()
@app.middleware("http")
async def add_bacinet(request: Request, call_next):
response = await call_next(request)
apply(response.headers)
return response
Alternatively, you can use an ASGI-conformant Middlware:
from bacinet import BacinetMiddleware
app = FastAPI()
app.add_middleware(BacinetMiddleware)
To change the default options, import and change the options dictionary from bacinet:
from bacinet import options
options["X-DNS-Prefetch-Control"] = "on"
You can also import individual header functions (like x_download_options) and apply those on your own applicator function that can be provided to BacinetMiddleware's constructor.
In it's standard form, the following headers will be set or removed by the middleware:
| Header | Default | Description |
|---|---|---|
| Origin-Agent-Cluster | ?1 | https://github.com/WICG/origin-agent-cluster |
| X-Content-Type-Options | nosniff | Prevents MIME type sniffing attacks |
| X-XSS-Protection | 1 | Enables XSS filtering and page sanitation in the browser |
| X-Powered-By | removed | Header gets removed to hinder server identification |
| X-Download-Options | noopen | Prevent automated opening of downloads in legacy browsers |
| X-DNS-Prefetch-Control | off | Prevents general DNS prefetching for links |
| Cross-Origin-Resource-Policy | same-origin | disallow cross-origin no-cors requests |
| X-Frame-Options | DENY | Deny embedding in other sited |
| Cross-Origin-Opener-Policy | same-origin | Deny sharing browsing context with cross-origin documents |
| X-Permitted-Cross-Domain-Policies | none | Disallow document embedding of the resource |
| Cross-Origin-Embedder-Policy | require-corp | https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Embedder-Policy |
| Referrer-Policy | no-referrer | Do not send referrer headers |
| Content-Security-Policy | see below | Restrict resource access |
| Strict-Transport-Security | maxAge=15552000;includeSubDomains | Make sure that the site is only accessed via https |
The following content-security policies are applied in the default setting:
default-src 'self';base-uri 'self'font-src 'self' https: data:form-action 'self'frame-ancestors 'self'img-src 'self' data:object-src 'none'script-src 'self'script-src-attr 'none'style-src 'self' https: 'unsafe-inline'upgrade-insecure-requestsFAQs
Setting up security-relevant response headers in FastAPI
We found that bacinet demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
npm now supports Trusted Publishing with OIDC, enabling secure package publishing directly from CI/CD workflows without relying on long-lived tokens.
Research
/Security News
A RubyGems malware campaign used 60 malicious packages posing as automation tools to steal credentials from social media and marketing tool users.
Security News
The CNA Scorecard ranks CVE issuers by data completeness, revealing major gaps in patch info and software identifiers across thousands of vulnerabilities.