TypeError/secure v2.0.0rc1

secure v2.0.0rc1

on GitHub

A release-candidate for secure v2.0.0 focused on a cleaner public API, modern presets, first-class ASGI/WSGI middleware, and safer header application/validation across frameworks.

Highlights

• New preset model with a recommended default: Preset.BALANCED
• New ASGI + WSGI middleware for framework-agnostic integration
• New header pipeline helpers for allowlisting, deduping, and validation/normalization
• Expanded header coverage and improved docs, examples, and migration guidance

Breaking changes

• Presets redesigned and defaults changed
  • Added Preset.BALANCED, now the recommended default.
  • Secure.with_default_headers() now equals Secure.from_preset(Preset.BALANCED).
  • Preset.BASIC targets Helmet.js default parity.
  • Preset.STRICT no longer enables HSTS preload by default (opt-in separately).
• Secure.headers is now strict about duplicates
  • Duplicate header names (case-insensitive) raise ValueError.
  • Use header_items() for multi-valued emission, or resolve duplicates via deduplicate_headers() / validate_and_normalize_headers().

Added

• Middleware
  • SecureASGIMiddleware (intercepts ASGI http.response.start)
  • SecureWSGIMiddleware (wraps WSGI start_response)
  • secure.middleware re-exports both; supports multi_ok for safely appending multi-valued headers (e.g. CSP)
• Header pipeline helpers on Secure
  • allowlist_headers(...) (raise / drop / warn)
  • deduplicate_headers(...) (raise, first, last, concat) with COMMA_JOIN_OK and MULTI_OK
  • validate_and_normalize_headers(...) (RFC 7230 token validation, CR/LF hardening, optional obs-text, immutable normalized override)
• Serialization
  • header_items() for ordered (name, value) output without enforcing uniqueness
• Constants / policies
  • MULTI_OK, COMMA_JOIN_OK, DEFAULT_ALLOWED_HEADERS
  • OnInvalidPolicy, OnUnexpectedPolicy, DeduplicateAction
• Expanded header coverage
  • Cross-Origin-Resource-Policy
  • X-DNS-Prefetch-Control
  • X-Permitted-Cross-Domain-Policies
• Project & CI
  • CODE_OF_CONDUCT.md, CONTRIBUTING.md
  • GitHub Actions for multi-version tests + Ruff

Changed

• Docs/README overhaul
  • Middleware usage + multi_ok semantics
  • Clear preset guidance (BALANCED / BASIC / STRICT) and documented default header set
  • New “header pipeline and validation” section (allowlist → dedupe → normalize)
  • New error handling/logging guidance (HeaderSetError, AttributeError, RuntimeError, pipeline ValueError)
  • Supported frameworks list expanded (now includes Dash and Shiny)
  • Attribution to MDN and the OWASP Secure Headers Project
• Presets behavior
  • BASIC adds Origin-Agent-Cluster, X-Download-Options, X-XSS-Protection: 0 for Helmet-parity
• Response integration
  • More robust sync/async detection
  • Supports response.headers.set(...) (Werkzeug-style)
  • Failures while applying headers are wrapped in HeaderSetError
• Packaging/tooling
  • pyproject.toml modernized (metadata cleanup, setuptools floor bump, Ruff configuration)

Testing

• Expanded unit and contract tests, including improved coverage for sync/async response integration paths.

Upgrade notes

• If you were relying on the previous with_default_headers() behavior, review the new presets and choose:
  • Preset.BALANCED (default, recommended)
  • Preset.BASIC (Helmet-parity compatibility)
  • Preset.STRICT (hardened; no preload by default)
• If your app needs multi-valued headers, prefer header_items() and/or configure middleware multi_ok.

See the migration guide: docs/migration.md.

What's Changed

• feat: CI for unit tests + explicit Python 3.13 & 3.14 support by @BoboTiG in #39
• secure v2.0.0rc1: presets redesign, ASGI/WSGI middleware, and header updates by @cak in #40

New Contributors

• @BoboTiG made their first contribution in #39

Full Changelog: v1.0.1...v2.0.0rc1