Skip to content

Instantly share code, notes, and snippets.

Last active Aug 29, 2015
What would you like to do?
Mount a CherryPy Application with additional header security
_csp_sources = ['default', 'script', 'style', 'img', 'connect', 'font', 'object', 'media', 'frame']
_csp_default_source = "'self'"
_csp_rules = list()
for c in _csp_sources:
_csp_rules.append('{:s}-src {:s}'.format(c, _csp_default_source))
_csp = '; '.join(_csp_rules)
cherrypy.tree.mount(App(), '/', {
'/': {
'tools.encode.on': False,
'tools.response_headers.on': True,
'tools.response_headers.headers': [
('X-Frame-Options', 'DENY'), # [XFO]
('X-XSS-Protection', '1; mode=block'), # [LUH]
('Content-Security-Policy', _csp), # [CSP]
('X-Content-Security-Policy', _csp), # [CSP]
('X-Webkit-CSP', _csp), # [CSP]
('X-Content-Type-Options', 'nosniff') # [LUH]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment