Added

• Middleware
  • SecureASGIMiddleware (intercepts ASGI http.response.start)
  • SecureWSGIMiddleware (wraps WSGI start_response)
  • secure.middleware re-exports both; supports multi_ok for safely appending multi-valued headers (e.g. CSP)
• Header pipeline helpers on Secure
  • allowlist_headers(...) (raise / drop / warn)
  • deduplicate_headers(...) (raise, first, last, concat) with COMMA_JOIN_OK and MULTI_OK
  • validate_and_normalize_headers(...) (RFC 7230 token validation, CR/LF hardening, optional obs-text, immutable normalized override)
• Serialization
  • header_items() for ordered (name, value) output without enforcing uniqueness
• Constants / policies
  • MULTI_OK, COMMA_JOIN_OK, DEFAULT_ALLOWED_HEADERS
  • OnInvalidPolicy, OnUnexpectedPolicy, DeduplicateAction
• Expanded header coverage
  • Cross-Origin-Resource-Policy
  • X-DNS-Prefetch-Control
  • X-Permitted-Cross-Domain-Policies
• Project & CI
  • CODE_OF_CONDUCT.md, CONTRIBUTING.md
  • GitHub Actions for multi-version tests + Ruff

Changed

• Docs/README overhaul
  • Middleware usage + multi_ok semantics
  • Clear preset guidance (BALANCED / BASIC / STRICT) and documented default header set
  • New “header pipeline and validation” section (allowlist → dedupe → normalize)
  • New error handling/logging guidance (HeaderSetError, AttributeError, RuntimeError, pipeline ValueError)
  • Supported frameworks list expanded (now includes Dash and Shiny)
  • Attribution to MDN and the OWASP Secure Headers Project
• Presets behavior
  • BASIC adds Origin-Agent-Cluster, X-Download-Options, X-XSS-Protection: 0 for Helmet-parity
• Response integration
  • More robust sync/async detection
  • Supports response.headers.set(...) (Werkzeug-style)
  • Failures while applying headers are wrapped in HeaderSetError
• Packaging/tooling
  • pyproject.toml modernized (metadata cleanup, setuptools floor bump, Ruff configuration)

Testing

• Expanded unit and contract tests, including improved coverage for sync/async response integration paths.

Upgrade notes

• If you were relying on the previous with_default_headers() behavior, review the new presets and choose:
  • Preset.BALANCED (default, recommended)
  • Preset.BASIC (Helmet-parity compatibility)
  • Preset.STRICT (hardened; no preload by default)
• If your app needs multi-valued headers, prefer header_items() and/or configure middleware multi_ok.

See the migration guide: docs/migration.md.

What's Changed

• feat: CI for unit tests + explicit Python 3.13 & 3.14 support by @BoboTiG in https://github.com/TypeError/secure/pull/39
• secure v2.0.0rc1: presets redesign, ASGI/WSGI middleware, and header updates by @cak in https://github.com/TypeError/secure/pull/40

New Contributors

• @BoboTiG made their first contribution in https://github.com/TypeError/secure/pull/39

Full Changelog: https://github.com/TypeError/secure/compare/v1.0.1...v2.0.0rc1