{"id":4250,"library":"secure","title":"Secure Headers for Python Web Frameworks","description":"Secure is a lightweight Python library designed to effortlessly add essential HTTP security headers to web applications. It supports multiple frameworks like Flask, FastAPI, and Django with a unified, modern API. The library is actively maintained, with the current stable version being 1.0.1, and a 2.0.0 release candidate introducing significant enhancements and API changes.","status":"active","version":"1.0.1","language":"en","source_language":"en","source_url":"https://github.com/TypeError/secure","tags":["security","web","headers","middleware","flask","fastapi","django","asgi","wsgi","http"],"install":[{"cmd":"pip install secure","lang":"bash","label":"Install stable version"}],"dependencies":[{"reason":"Requires Python 3.10 or higher for modern language features.","package":"python","optional":false}],"imports":[{"note":"Main class for applying security headers.","symbol":"Secure","correct":"from secure import Secure"},{"note":"For building custom CSP policies.","symbol":"ContentSecurityPolicy","correct":"from secure import ContentSecurityPolicy"},{"note":"For building custom Permissions Policy headers.","symbol":"PermissionsPolicy","correct":"from secure import PermissionsPolicy"},{"note":"Available from v1.x.x, official middleware path for WSGI frameworks (e.g., Flask, Django) in v2.0.0rc1.","wrong":"from secure import SecureWSGIMiddleware","symbol":"SecureWSGIMiddleware","correct":"from secure.middleware import SecureWSGIMiddleware"},{"note":"Available from v1.x.x, official middleware path for ASGI frameworks (e.g., FastAPI, Starlette) in v2.0.0rc1.","wrong":"from secure import SecureASGIMiddleware","symbol":"SecureASGIMiddleware","correct":"from secure.middleware import SecureASGIMiddleware"},{"note":"The `SecureHeaders` class was part of the 0.x.x API and was removed in v1.0.0. Use `secure.Secure` instead.","wrong":"from secure import SecureHeaders","symbol":"SecureHeaders","correct":"from secure import Secure"},{"note":"Cookie management functionality (`SecureCookie` class) was removed entirely in v0.3.0/v1.0.0. This is no longer supported.","wrong":"from secure import SecureCookie","symbol":"SecureCookie","correct":"N/A (Functionality removed)"}],"quickstart":{"code":"import os\nfrom flask import Flask, Response\nfrom secure import Secure\n\napp = Flask(__name__)\n\n# Instantiate Secure with default headers (or customize)\n# For v2.0.0rc1 and later, consider `Secure.with_preset(Preset.BALANCED)` or middleware.\nsecure_headers = Secure.with_default_headers()\n\n@app.after_request\ndef add_security_headers(response: Response):\n    secure_headers.set_headers(response)\n    return response\n\n@app.route(\"/\")\ndef home():\n    return \"Hello, secure world!\"\n\nif __name__ == \"__main__\":\n    # In a real application, use a production-ready WSGI server like Gunicorn\n    app.run(debug=True)","lang":"python","description":"This Flask example demonstrates how to integrate `secure.py` by applying default security headers to every response using an `after_request` hook. The `Secure.with_default_headers()` method provides a baseline set of recommended headers."},"warnings":[{"fix":"Consult the official migration guide (e.g., `docs/migration.md` on GitHub) to adapt to the new API and preset models. Consider using `SecureASGIMiddleware` or `SecureWSGIMiddleware` for framework-agnostic integration.","message":"Version 2.0.0 (currently in Release Candidate) introduces a significant API overhaul, including a new preset model (e.g., `Preset.BALANCED`), first-class ASGI/WSGI middleware, and changes to the behavior of `with_default_headers()`. Review the migration guide when upgrading to 2.x.x.","severity":"breaking","affected_versions":">=2.0.0rc1"},{"fix":"Rewrite code using the new `secure.Secure` class and its methods. Ensure your project is running on Python 3.10 or newer. Cookie management functionality has been removed; you'll need a different library or custom implementation for secure cookies.","message":"The library underwent a complete API redesign in v1.0.0 from its 0.x.x versions. Old classes like `SecureHeaders` and `SecureCookie` were removed or replaced. Additionally, v1.0.0 requires Python 3.10+.","severity":"breaking","affected_versions":"0.x.x to 1.x.x"},{"fix":"Remove any reliance on `secure.SecureCookie`. Implement secure cookie handling using your web framework's native capabilities or a dedicated cookie security library.","message":"The `SecureCookie` class and all cookie management features were removed starting from version 0.3.0 and are not present in 1.x.x or 2.x.x. The library now exclusively focuses on HTTP security headers.","severity":"breaking","affected_versions":">=0.3.0"},{"fix":"Update any custom header configurations or policy builders to use `PermissionsPolicy` instead of `FeaturePolicy`.","message":"The `Feature-Policy` HTTP header was renamed to `Permissions-Policy` as part of a specification update. `secure.py` adopted this change in v0.3.0/v1.0.0, so older configurations might be using the deprecated name.","severity":"gotcha","affected_versions":"0.x.x (pre-0.3.0)"}],"env_vars":null,"last_verified":"2026-04-11T00:00:00.000Z","next_check":"2026-07-10T00:00:00.000Z"}