Security
Security Headers
HTTP security headers automatically applied to all responses — CSP, HSTS, X-Frame-Options, and more.
Security Headers
FastCMS includes a comprehensive security headers middleware that adds important HTTP security headers to all responses.
Headers Overview
| Header | Value | Purpose |
|---|---|---|
X-Content-Type-Options | nosniff | Prevents MIME type sniffing |
X-Frame-Options | DENY | Prevents clickjacking |
X-XSS-Protection | 1; mode=block | XSS filter for legacy browsers |
Referrer-Policy | strict-origin-when-cross-origin | Controls referrer information |
Permissions-Policy | (restrictive) | Disables unnecessary browser features |
Content-Security-Policy | (see below) | Controls resource loading |
Strict-Transport-Security | max-age=31536000 | HTTPS enforcement (production only) |
Cache-Control | no-store, no-cache | Prevents caching of API responses |
Content Security Policy (CSP)
Default policy:
Content-Security-Policy:
default-src 'self';
script-src 'self' 'unsafe-inline' 'unsafe-eval';
style-src 'self' 'unsafe-inline';
img-src 'self' data: https:;
font-src 'self' data:;
connect-src 'self' ws: wss:;
frame-ancestors 'none';
base-uri 'self';
form-action 'self'Permissions Policy
Disabled browser features:
- Accelerometer, Camera, Geolocation, Gyroscope
- Magnetometer, Microphone, Payment API, USB access
Configuration
from app.core.middleware import SecurityHeadersMiddleware
app.add_middleware(
SecurityHeadersMiddleware,
content_security_policy="custom CSP here",
permissions_policy="custom permissions here",
hsts_max_age=63072000, # 2 years
frame_options="SAMEORIGIN",
include_subdomains=False,
)Custom CSP for Third-Party Services
custom_csp = "; ".join([
"default-src 'self'",
"script-src 'self' 'unsafe-inline' https://www.google-analytics.com",
"img-src 'self' data: https:",
"connect-src 'self' ws: wss: https://api.external-service.com",
"frame-ancestors 'none'",
])
app.add_middleware(SecurityHeadersMiddleware, content_security_policy=custom_csp)Testing Security Headers
curl -I https://your-fastcms.com/api/v1/healthOnline scanners:
- securityheaders.com — quick grade
- Mozilla Observatory — comprehensive analysis
With default configuration, FastCMS achieves an A grade on Security Headers scanner.
Troubleshooting
Admin UI Not Loading
Check browser console for CSP violations:
document.addEventListener('securitypolicyviolation', (e) => {
console.log('CSP Violation:', e.violatedDirective, e.blockedURI);
});WebSocket Connection Failed
Ensure connect-src includes WebSocket protocols:
connect-src 'self' ws: wss:External Images Not Loading
Add external domains to img-src:
img-src 'self' data: https: https://cdn.example.com