Headers

Last updated last month

Introduction

Masonite allows you to easily add security headers to your application. Masonite adds some sensible defaults but you can modify them as you need.

Configuration

All you need to do is add the middleware to your HTTP_MIDDLEWARE constant in your config/middleware.py file:

from masonite.middleware import SecureHeadersMiddleware
‚Äč
HTTP_MIDDLEWARE = [
...
SecureHeadersMiddleware,
]

This will add these default headers for your server:

'Strict-Transport-Security': 'max-age=63072000; includeSubdomains'
'X-Frame-Options': 'SAMEORIGIN'
'X-XSS-Protection': '1; mode=block'
'X-Content-Type-Options': 'nosniff'
'Referrer-Policy': 'no-referrer, strict-origin-when-cross-origin'
'Cache-control': 'no-cache, no-store, must-revalidate'
'Pragma': 'no-cache'

Overriding Headers

If you want to change or add any headers, you just need to specify them in your config/middleware.py file and this middleware will automatically pick them up. For example you can change the X-Frame-Options header like this:

config/middleware.py
SECURE_HEADERS = {
'X-Frame-Options' : 'deny'
}

This will then change your headers to:

'Strict-Transport-Security': 'max-age=63072000; includeSubdomains'
'X-Frame-Options': 'deny'
'X-XSS-Protection': '1; mode=block'
'X-Content-Type-Options': 'nosniff'
'Referrer-Policy': 'no-referrer, strict-origin-when-cross-origin'
'Cache-control': 'no-cache, no-store, must-revalidate'
'Pragma': 'no-cache'

Notice the change in the new header we changed.