---
name: secure
description: >
  A lightweight package that adds security headers for Python web frameworks. Use when writing Python code that uses the secure package.
license: MIT
compatibility: Requires Python >=3.10.
---

# secure

A lightweight package that adds security headers for Python web frameworks.

## Installation

```bash
pip install secure
```

## API overview

### Classes

Main classes provided by the package

- `Secure`: Configure and apply HTTP security headers for web applications

### Dataclasses

Dataclass definitions

- `CacheControl`: Fluent builder for the `Cache-Control` HTTP header
- `ContentSecurityPolicy`: Fluent builder for the ``Content-Security-Policy`` HTTP response header
- `CrossOriginEmbedderPolicy`: Builder for the ``Cross-Origin-Embedder-Policy`` (COEP) HTTP response header
- `CrossOriginOpenerPolicy`: Builder for the ``Cross-Origin-Opener-Policy`` (COOP) HTTP response header
- `CrossOriginResourcePolicy`: Builder for the ``Cross-Origin-Resource-Policy`` (CORP) HTTP response header
- `CustomHeader`: Wrapper for an arbitrary HTTP header
- `PermissionsPolicy`: Builder for the `Permissions-Policy` HTTP header
- `ReferrerPolicy`: Builder for the ``Referrer-Policy`` HTTP response header
- `Server`: Builder for the ``Server`` HTTP response header
- `StrictTransportSecurity`: Builder for the ``Strict-Transport-Security`` (HSTS) HTTP response header
- `XContentTypeOptions`: Builder for the `X-Content-Type-Options` HTTP header
- `XDnsPrefetchControl`: Builder for the non-standard `X-DNS-Prefetch-Control` HTTP header
- `XFrameOptions`: Builder for the `X-Frame-Options` HTTP response header
- `XPermittedCrossDomainPolicies`: Builder for the `X-Permitted-Cross-Domain-Policies` HTTP response header

### StrictTransportSecurity Methods

Methods for the StrictTransportSecurity class

- `StrictTransportSecurity.header_value`
- `StrictTransportSecurity.clear`
- `StrictTransportSecurity.value`
- `StrictTransportSecurity.max_age`
- `StrictTransportSecurity.include_subdomains`
- `StrictTransportSecurity.preload`

### Secure Methods

Methods for the Secure class

- `Secure.with_default_headers`
- `Secure.from_preset`
- `Secure.__str__`
- `Secure.__repr__`
- `Secure.validate_and_normalize_headers`
- `Secure.deduplicate_headers`
- `Secure.allowlist_headers`
- `Secure.header_items`
- `Secure.set_headers`
- `Secure.set_headers_async`

### CacheControl Methods

Methods for the CacheControl class

- `CacheControl.value`
- `CacheControl.set`
- `CacheControl.clear`
- `CacheControl.custom`
- `CacheControl.immutable`
- `CacheControl.max_age`
- `CacheControl.max_stale`
- `CacheControl.min_fresh`
- `CacheControl.must_revalidate`
- `CacheControl.must_understand`
- `CacheControl.no_cache`
- `CacheControl.no_store`
- `CacheControl.no_transform`
- `CacheControl.only_if_cached`
- `CacheControl.private`
- `CacheControl.proxy_revalidate`
- `CacheControl.public`
- `CacheControl.s_maxage`
- `CacheControl.s_max_age`
- `CacheControl.stale_if_error`
- `CacheControl.stale_while_revalidate`

### ContentSecurityPolicy Methods

Methods for the ContentSecurityPolicy class

- `ContentSecurityPolicy.value`
- `ContentSecurityPolicy.set`
- `ContentSecurityPolicy.clear`
- `ContentSecurityPolicy.report_only`
- `ContentSecurityPolicy.enforce`
- `ContentSecurityPolicy.custom`
- `ContentSecurityPolicy.custom_directive`
- `ContentSecurityPolicy.base_uri`
- `ContentSecurityPolicy.block_all_mixed_content`
- `ContentSecurityPolicy.child_src`
- `ContentSecurityPolicy.connect_src`
- `ContentSecurityPolicy.default_src`
- `ContentSecurityPolicy.fenced_frame_src`
- `ContentSecurityPolicy.font_src`
- `ContentSecurityPolicy.form_action`
- `ContentSecurityPolicy.frame_ancestors`
- `ContentSecurityPolicy.frame_src`
- `ContentSecurityPolicy.img_src`
- `ContentSecurityPolicy.manifest_src`
- `ContentSecurityPolicy.media_src`
- `ContentSecurityPolicy.object_src`
- `ContentSecurityPolicy.prefetch_src`
- `ContentSecurityPolicy.report_to`
- `ContentSecurityPolicy.report_uri`
- `ContentSecurityPolicy.require_trusted_types_for`
- `ContentSecurityPolicy.sandbox`
- `ContentSecurityPolicy.script_src`
- `ContentSecurityPolicy.script_src_attr`
- `ContentSecurityPolicy.script_src_elem`
- `ContentSecurityPolicy.style_src`
- `ContentSecurityPolicy.style_src_attr`
- `ContentSecurityPolicy.style_src_elem`
- `ContentSecurityPolicy.trusted_types`
- `ContentSecurityPolicy.upgrade_insecure_requests`
- `ContentSecurityPolicy.worker_src`
- `ContentSecurityPolicy.keyword`
- `ContentSecurityPolicy.nonce`

### CrossOriginEmbedderPolicy Methods

Methods for the CrossOriginEmbedderPolicy class

- `CrossOriginEmbedderPolicy.set`
- `CrossOriginEmbedderPolicy.value`
- `CrossOriginEmbedderPolicy.clear`
- `CrossOriginEmbedderPolicy.unsafe_none`
- `CrossOriginEmbedderPolicy.require_corp`
- `CrossOriginEmbedderPolicy.credentialless`

### CrossOriginOpenerPolicy Methods

Methods for the CrossOriginOpenerPolicy class

- `CrossOriginOpenerPolicy.value`
- `CrossOriginOpenerPolicy.custom`
- `CrossOriginOpenerPolicy.set`
- `CrossOriginOpenerPolicy.clear`
- `CrossOriginOpenerPolicy.unsafe_none`
- `CrossOriginOpenerPolicy.same_origin_allow_popups`
- `CrossOriginOpenerPolicy.same_origin`
- `CrossOriginOpenerPolicy.noopener_allow_popups`

### CrossOriginResourcePolicy Methods

Methods for the CrossOriginResourcePolicy class

- `CrossOriginResourcePolicy.clear`
- `CrossOriginResourcePolicy.value`
- `CrossOriginResourcePolicy.set`
- `CrossOriginResourcePolicy.same_origin`
- `CrossOriginResourcePolicy.same_site`
- `CrossOriginResourcePolicy.cross_origin`

### PermissionsPolicy Methods

Methods for the PermissionsPolicy class

- `PermissionsPolicy.value`
- `PermissionsPolicy.set`
- `PermissionsPolicy.clear`
- `PermissionsPolicy.add_directive`
- `PermissionsPolicy.directive`
- `PermissionsPolicy.accelerometer`
- `PermissionsPolicy.ambient_light_sensor`
- `PermissionsPolicy.aria_notify`
- `PermissionsPolicy.attribution_reporting`
- `PermissionsPolicy.autoplay`
- `PermissionsPolicy.bluetooth`
- `PermissionsPolicy.browsing_topics`
- `PermissionsPolicy.compute_pressure`
- `PermissionsPolicy.cross_origin_isolated`
- `PermissionsPolicy.fullscreen`
- `PermissionsPolicy.gamepad`
- `PermissionsPolicy.geolocation`
- `PermissionsPolicy.gyroscope`
- `PermissionsPolicy.hid`
- `PermissionsPolicy.identity_credentials_get`
- `PermissionsPolicy.idle_detection`
- `PermissionsPolicy.local_fonts`
- `PermissionsPolicy.magnetometer`
- `PermissionsPolicy.microphone`
- `PermissionsPolicy.on_device_speech_recognition`
- `PermissionsPolicy.otp_credentials`
- `PermissionsPolicy.publickey_credentials_create`
- `PermissionsPolicy.publickey_credentials_get`
- `PermissionsPolicy.serial`
- `PermissionsPolicy.speaker_selection`
- `PermissionsPolicy.storage_access`
- `PermissionsPolicy.summarizer`
- `PermissionsPolicy.translator`
- `PermissionsPolicy.language_detector`
- `PermissionsPolicy.usb`
- `PermissionsPolicy.web_share`
- `PermissionsPolicy.window_management`
- `PermissionsPolicy.xr_spatial_tracking`
- `PermissionsPolicy.battery`
- `PermissionsPolicy.camera`
- `PermissionsPolicy.clipboard_read`
- `PermissionsPolicy.clipboard_write`
- `PermissionsPolicy.display_capture`
- `PermissionsPolicy.document_domain`
- `PermissionsPolicy.encrypted_media`
- `PermissionsPolicy.execution_while_not_rendered`
- `PermissionsPolicy.execution_while_out_of_viewport`
- `PermissionsPolicy.midi`
- `PermissionsPolicy.navigation_override`
- `PermissionsPolicy.payment`
- `PermissionsPolicy.picture_in_picture`
- `PermissionsPolicy.screen_wake_lock`
- `PermissionsPolicy.sync_xhr`

### ReferrerPolicy Methods

Methods for the ReferrerPolicy class

- `ReferrerPolicy.add`
- `ReferrerPolicy.set`
- `ReferrerPolicy.value`
- `ReferrerPolicy.custom`
- `ReferrerPolicy.fallback`
- `ReferrerPolicy.clear`
- `ReferrerPolicy.no_referrer`
- `ReferrerPolicy.no_referrer_when_downgrade`
- `ReferrerPolicy.origin`
- `ReferrerPolicy.origin_when_cross_origin`
- `ReferrerPolicy.same_origin`
- `ReferrerPolicy.strict_origin`
- `ReferrerPolicy.strict_origin_when_cross_origin`
- `ReferrerPolicy.unsafe_url`

### XDnsPrefetchControl Methods

Methods for the XDnsPrefetchControl class

- `XDnsPrefetchControl.clear`
- `XDnsPrefetchControl.set`
- `XDnsPrefetchControl.value`
- `XDnsPrefetchControl.custom`
- `XDnsPrefetchControl.on`
- `XDnsPrefetchControl.off`
- `XDnsPrefetchControl.allow`
- `XDnsPrefetchControl.disable`

### XFrameOptions Methods

Methods for the XFrameOptions class

- `XFrameOptions.value`
- `XFrameOptions.set`
- `XFrameOptions.custom`
- `XFrameOptions.clear`
- `XFrameOptions.deny`
- `XFrameOptions.sameorigin`
- `XFrameOptions.allow_from`

### XPermittedCrossDomainPolicies Methods

Methods for the XPermittedCrossDomainPolicies class

- `XPermittedCrossDomainPolicies.clear`
- `XPermittedCrossDomainPolicies.value`
- `XPermittedCrossDomainPolicies.custom`
- `XPermittedCrossDomainPolicies.set`
- `XPermittedCrossDomainPolicies.policy`
- `XPermittedCrossDomainPolicies.none`
- `XPermittedCrossDomainPolicies.master_only`
- `XPermittedCrossDomainPolicies.by_content_type`
- `XPermittedCrossDomainPolicies.by_ftp_filename`
- `XPermittedCrossDomainPolicies.all`
- `XPermittedCrossDomainPolicies.none_this_response`

### Enumerations

Enumeration types

- `Preset`: Predefined security header presets for :class:`Secure`

## Resources

- [Full documentation](https://github.com/TypeError/secure/tree/main/docs/)
- [llms.txt](llms.txt) — Indexed API reference for LLMs
- [llms-full.txt](llms-full.txt) — Comprehensive documentation for LLMs
- [Source code](https://github.com/TypeError/secure)