search

TypeError / secure

Lightweight modern Python library to add security headers (CSP, HSTS, etc.) to Django, Flask, FastAPI, and more. Secure defaults or fully customizable.
MIT License
895 stars 27 forks source link

'report-to' directive implemented incorrectly, needs it's own header #4

Closed myartsev closed 4 years ago

myartsev commented 4 years ago

The report-to directive should be taking in a 'group-name' string that references the values inside a separate Report-To header.

It looks like this library needs to be updated to: 1) Clean up report_to because it should not be taking a json object, but rather a string corresponding to the group name

2) Add a Report-To header

Happy to send a PR, just wanted to run this by you guys to check that I'm not mistaken or overlooking something.

This header is currently only supported on Chrome, but it's the future once report-uri gets fully deprecated: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-uri

Correct sample policy:

Report-To: { "group": "csp-endpoint",
             "max_age": 10886400,
             "endpoints": [
               { "url": "https://example.com/csp-reports" }
             ] },
           { "group": "hpkp-endpoint",
             "max_age": 10886400,
             "endpoints": [
               { "url": "https://example.com/hpkp-reports" }
             ] }
Content-Security-Policy: ...; report-to csp-endpoint
myartsev commented 4 years ago

Fixed with https://github.com/TypeError/secure.py/pull/6