Masonite Documentation
v2.2 LTS
v2.2 LTS
  • Introduction and Installation
  • Creating a Blog
  • Prologue
    • Contributing Guide
    • How To Contribute
    • Release Cycle
    • Known Installation Issues
    • Deprecation
  • What's New
    • Masonite 1.3
    • Masonite 1.4
    • Masonite 1.5
    • Masonite 1.6
    • Masonite 2.0
    • Masonite 2.1
    • Masonite 2.2
  • Upgrade Guide
    • Masonite 1.3 to 1.4
    • Masonite 1.4 to 1.5
    • Masonite 1.5 to 1.6
    • Masonite 1.6 to 2.0
    • Masonite 2.0 to 2.1
    • Masonite 2.1 to 2.2
  • The Basics
    • Controllers
    • Helper Functions
    • Requests
    • Routing
    • Static Files
    • Views
  • The Craft Command
    • Introduction
    • Creating Commands
  • Architectural Concepts
    • Request Lifecycle
    • Service Container
    • Service Providers
  • Advanced
    • Autoloading
    • Creating a Mail Driver
    • Creating Packages
    • Database Seeding
    • Extending Classes
    • Middleware
    • Responses
    • Sessions
    • Status Codes
    • Validation
  • Useful Features
    • Broadcasting
    • Caching
    • Compiling Assets
    • Environments
    • Events
    • Framework Hooks
    • Mail
    • Queues and Jobs
    • Task Scheduling
    • Testing
    • Selenium Testing
    • Template Caching
    • Uploading
    • View Composers, Sharing and Filters
  • Security
    • Authentication
    • CSRF Protection
    • Encryption
    • Headers
    • Releases
  • Orator ORM
    • Database Migrations
    • Basic Usage
    • Collections
    • ORM
    • Pagination
    • Query Builder
    • Schema Builder
  • Managers and Drivers
    • About Drivers
    • About Managers
    • Contracts
  • Official Packages
    • Masonite API
    • Masonite Billing
    • Masonite Logging
    • Masonite Notifications
  • Masonite Essentials
    • Hash ID's
  • Tutorials
    • Creating a Blog
  • How-to Guides
    • Build Email Verification from Scratch With Masonite Framework and JSON Web Tokens
    • Deploying a Masonite Application to Heroku
    • How To Deploy Masonite to PythonAnywhere
    • How-To: Use RabbitMQ with Masonite 2.0 queues
    • How To Use The Repository Pattern with Masonite
    • Making Masonite and Laravel Mix work together
  • Deployment
    • Drivers
    • Optimization
Powered by GitBook
On this page
  • Headers
  • Introduction
  • Configuration
  • Overriding Headers
  • CORS
Edit on Git
Export as PDF
  1. Security

Headers

Headers

Introduction

Masonite allows you to easily add security headers to your application. Masonite adds some sensible defaults but you can modify them as you need.

Configuration

All you need to do is add the middleware to your HTTP_MIDDLEWARE constant in your config/middleware.py file:

from masonite.middleware import SecureHeadersMiddleware

HTTP_MIDDLEWARE = [
    ...
    SecureHeadersMiddleware,
]

This will add these default headers for your server:

'Strict-Transport-Security': 'max-age=63072000; includeSubdomains'
'X-Frame-Options': 'SAMEORIGIN'
'X-XSS-Protection': '1; mode=block'
'X-Content-Type-Options': 'nosniff'
'Referrer-Policy': 'no-referrer, strict-origin-when-cross-origin'
'Cache-control': 'no-cache, no-store, must-revalidate'
'Pragma': 'no-cache'

Overriding Headers

If you want to change or add any headers, you just need to specify them in your config/middleware.py file and this middleware will automatically pick them up. For example you can change the X-Frame-Options header like this:

config/middleware.py
SECURE_HEADERS = {
   'X-Frame-Options' : 'deny'
}

This will then change your headers to:

'Strict-Transport-Security': 'max-age=63072000; includeSubdomains'
'X-Frame-Options': 'deny'
'X-XSS-Protection': '1; mode=block'
'X-Content-Type-Options': 'nosniff'
'Referrer-Policy': 'no-referrer, strict-origin-when-cross-origin'
'Cache-control': 'no-cache, no-store, must-revalidate'
'Pragma': 'no-cache'

Notice the change in the new header we changed.

CORS

You may also choose to use CORS for your application for advanced security measures. Using CORS is very similar to the secure headers above.

This middleware needs to be at the TOP of the HTTP_MIDDLEWARE stack so the request will not be rejected inside the other middleware.

To get started just import the CorsProvider class into your config/providers.py file and add it to your PROVIDERS list:

from masonite.providers import CorsProvider
...
PROVIDERS = [
    AppProvider,
    CorsProvider,
    ...,
]

Then inside your config/middleware.py file you can put your CORS headers as a dictionary. Here is a list of sensible defaults:

from masonite.middleware import CorsMiddleware
...
HTTP_MIDDLEWARE = [
    ...,
]

ROUTE_MIDDLEWARE = [
    ...,
]

...

CORS = {
    'Access-Control-Allow-Origin': "*",
    "Access-Control-Allow-Methods": "DELETE, GET, HEAD, OPTIONS, PATCH, POST, PUT",
    "Access-Control-Allow-Headers": "Content-Type, Accept, X-Requested-With",
    "Access-Control-Max-Age": "3600",
    "Access-Control-Allow-Credentials": "true"
}

Now if you go to a browser you will see these headers being sent as a response from your server.

PreviousEncryptionNextReleases

Last updated 5 years ago