The first stable v2 release is 2.0.1. Skip 2.0.0.
If your application already uses Secure to set headers on responses, the upgrade should be straightforward. Most changes are about preset names, package-level imports, and clearer sync versus async integration.
Secureis still the main entry point.- Header builders such as
ContentSecurityPolicyandStrictTransportSecurityare still the way to define custom policies. set_headers(response)is still the sync path for supported response objects.
- Import from the package root:
from secure import Secure, Preset, ContentSecurityPolicy. Secure.with_default_headers()now meansSecure.from_preset(Preset.BALANCED).- Presets are now
Preset.BALANCED,Preset.BASIC, andPreset.STRICT. set_headers_async(response)is available for async integrations and async response setters.secure.middlewareexposesSecureWSGIMiddlewareandSecureASGIMiddlewarefor app-wide integration.
Preset.MODERNis gone. Replace it withPreset.BALANCEDorPreset.STRICT, depending on what you wanted.- The default profile is now
BALANCED, which intentionally omitsCache-Controland the legacy compatibility headers fromBASIC. Preset.STRICTno longer enables HSTS preload by default. Add.preload()yourself if you rely on that behavior.set_headers()is sync-only. If your response object only supports async setters, switch toawait set_headers_async(response).- If you set the
Serverheader, disable framework or server defaults such as Uvicorn'sServer: uvicornto avoid duplicates.
If you previously relied on the default helpers, this is usually enough:
from secure import Secure
secure_headers = Secure.with_default_headers()
secure_headers.set_headers(response)If you want the new preset API explicitly:
from secure import Preset, Secure
secure_headers = Secure.from_preset(Preset.BALANCED)If your old code expected stricter defaults, review Preset.STRICT before switching. The main thing to check is CSP behavior, caching, framing, and HSTS preload.