Secure your FastAPI apps with a single line of code 🛡️
fastapi-armor is a security middleware that sets modern HTTP security headers for every response. It provides presets for common configurations (strict, relaxed, none) and allows overrides for full customization.
Install via pip:
pip install fastapi-armor
Here’s how to use ArmorMiddleware in a FastAPI application:
from fastapi import FastAPI
from fastapi_armor.middleware import ArmorMiddleware
app = FastAPI()
app.add_middleware(
ArmorMiddleware,
preset="strict", # apply secure default set
permissions_policy="geolocation=(), microphone=()" # optionally override specific header
)
@app.get("/")
async def read_root():
return {"message": "FastAPI with Armor Middleware is running!"}
To run this FastAPI app locally using uvicorn, first install the required packages:
pip install fastapi uvicorn
Then start the app:
uvicorn example.main:app --reload
Visit your app at http://127.0.0.1:8000
You can inspect the HTTP headers in the browser or via curl:
curl -I http://127.0.0.1:8000
You can use built-in presets to quickly apply a set of secure headers. These presets are designed for different use cases:
| Preset | Description |
|---|---|
strict | Applies all recommended security headers with strict values for maximum protection. |
relaxed | Applies a lighter set of headers suitable for more flexible or development environments. |
none | Disables all headers. Useful for debugging or local development where security is not a concern. |
You can also override any individual header even when using a preset:
app.add_middleware(
ArmorMiddleware,
preset="strict",
permissions_policy="geolocation=(), microphone=()"
)
This table shows how to customize headers in the middleware by mapping FastAPI-Armor's parameter names to actual HTTP header fields:
| Middleware Parameter | Header Set | Example Value |
|---|---|---|
content_security_policy | Content-Security-Policy | "default-src 'self'; img-src *;" |
frame_options | X-Frame-Options | "DENY" or "SAMEORIGIN" |
hsts | Strict-Transport-Security | "max-age=63072000; includeSubDomains; preload" |
x_content_type_options | X-Content-Type-Options | "nosniff" |
referrer_policy | Referrer-Policy | "no-referrer" or "strict-origin" |
permissions_policy | Permissions-Policy | "geolocation=(), microphone=()" |
dns_prefetch_control | X-DNS-Prefetch-Control | "off" or "on" |
expect_ct | Expect-CT | "max-age=86400, enforce" |
origin_agent_cluster | Origin-Agent-Cluster | "?1" or "?0" |
cross_origin_embedder_policy | Cross-Origin-Embedder-Policy | "require-corp" |
cross_origin_opener_policy | Cross-Origin-Opener-Policy | "same-origin" or "unsafe-none" |
cross_origin_resource_policy | Cross-Origin-Resource-Policy | "same-origin", "same-site", or "cross-origin" |
Use these parameter names when configuring the middleware. For example, permissions_policy="geolocation=()" will set the Permissions-Policy HTTP header.
By default or optionally, ArmorMiddleware can apply the following headers:
| Header | Description |
|---|---|
Content-Security-Policy | Mitigates XSS and data injection attacks by specifying allowed content sources. |
X-Frame-Options | Prevents clickjacking by disallowing rendering inside <iframe>. |
Strict-Transport-Security | Forces use of HTTPS for future requests, helping prevent man-in-the-middle attacks. |
X-Content-Type-Options | Disables MIME-type sniffing to avoid content-type confusion. |
Referrer-Policy | Controls the Referer header sent in requests — reduces accidental info leakage. |
Permissions-Policy | Limits access to browser APIs like geolocation, camera, microphone, etc. |
X-DNS-Prefetch-Control | Prevents browsers from resolving DNS of external domains before user interaction. |
Expect-CT | Ensures valid Certificate Transparency logs for HTTPS connections. |
Origin-Agent-Cluster | Provides context isolation for enhanced privacy and safety. |
Cross-Origin-Embedder-Policy (COEP) | Blocks loading resources unless they explicitly allow being embedded. |
Cross-Origin-Opener-Policy (COOP) | Helps isolate browsing contexts to prevent cross-window attacks. |
Cross-Origin-Resource-Policy (CORP) | Restricts which origins can load resources from your site. |
For more details on these headers and their standard definitions, refer to the following official resources:
These resources represent officially accepted standards, specifications, and industry best practices for implementing security headers in modern web applications.
Special thanks to the following contributors who have helped improve this project:
If you'd like to contribute, please feel free to submit a pull request!
This project is licensed under the MIT License. © 2025 Inan Delibas
FAQs
HTTP security headers middleware for FastAPI.
We found that fastapi-armor demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Application Security
/Security News
Socket CEO Feross Aboukhadijeh and a16z partner Joel de la Garza discuss vibe coding, AI-driven software development, and how the rise of LLMs, despite their risks, still points toward a more secure and innovative future.
Research
/Security News
Threat actors hijacked Toptal’s GitHub org, publishing npm packages with malicious payloads that steal tokens and attempt to wipe victim systems.
Research
/Security News
Socket researchers investigate 4 malicious npm and PyPI packages with 56,000+ downloads that install surveillance malware.