Lack of Allowlisting for Header Names in `Secure` Class

### Description
The `Secure` class currently sets any provided headers from `self.headers_list` without validating against an allowlist of expected security headers.

This design choice allows potentially compromised or buggy custom headers (injected via the `custom` list) to be blindly added to the HTTP response, which could lead to misconfigurations or security policy bypasses.

### Affected Code
- `return {header.header_name: header.header_value for header in self.headers_list}` — **Line 223**

### Recommendation
- Validate header names before setting, ensuring they belong to a predefined and expected set (e.g., `Cache-Control`, `Content-Security-Policy`, `Strict-Transport-Security`, etc.).
- Alternatively, introduce an optional `strict=True` mode to the `Secure` class:
  - When enabled, it would enforce allowlisted headers only.
  - When disabled, it would preserve backward compatibility for custom headers.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Lack of Allowlisting for Header Names in `Secure` Class #35

Description

Affected Code

Recommendation

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Lack of Allowlisting for Header Names in Secure Class #35

Description

Description

Affected Code

Recommendation

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions

Lack of Allowlisting for Header Names in `Secure` Class #35