On Fri, Dec 7, 2018 at 2:25 AM Caleb <[email protected]> wrote: > 👋 All, I would appreciate any feedback on a lightweight security headers > and cookie attribute project for Python web frameworks (including Pyramid) > called Secure 🔒. Secure lets developers easily set security headers and > secure cookies with recommended values. The repo is: > https://github.com/cakinney/secure. 🙏
It's a great concept. My IT department requires web apps to go through a checklist of OWASP and other security recommendations, and I had to write custom code to implement some of them like X-Frame-Options and the cookie headers because there wasn't a library like Secure available. On the other hand, Strict-Transport-Security is handled server-wide on all servers so it didn't need to be in the application. I reviewed the docs and Pyramid configuration and glanced at the code. My impressions: - The header options look convenient enough. - Could 'max_age' be an integer? It looks like not because it's embedded in a larger string. Perhaps those suboptions should have separate arguments? - For Pyramid applications it would be most convenient to have a Pyramid include that parses the config settings for you. I understand that Secure may not want to include boilerplate code for that because it would imply a nominal Pyramid dependency. I think that could best be incorporated into Pyramid itself or a 'pyramid_secure' package. The latter would be ridiculously small though. - It would be helpful in the documentation to have a link at each option pointing to the recommendations on how to decide what settings you want. For instance, I had to study Cache-Control to decide which settings to implement, and I haven't seen the Feature settings before and don't know what all the options mean. (Magnetometer, what's that?) There is a link to the OWASP Cheat Sheet at the bottom, but I didn't see this until I got to the end of the doc, and it still would be more convenient to have a setting-specific link at each setting. -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/pylons-discuss/CAH9f%3DupJib8NT4xsTRsJ%3DuPjOiqrwE35wMAxmXZnrquD6rDypQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
