SecurityConfig
SecurityConfig provides centralized security settings for all SignalWire
services. It loads settings from environment variables and optional config files,
handling SSL/TLS, CORS, host allowlists, rate limiting, HSTS, and basic
authentication credentials.
A global default instance is available at signalwire.core.security_config.security_config
for backward compatibility. Services can create their own instances with
service-specific config files.
Properties
ssl_enabled
Whether HTTPS is enabled.
ssl_cert_path
Path to the SSL certificate file. Required when ssl_enabled is True.
ssl_key_path
Path to the SSL private key file. Required when ssl_enabled is True.
domain
Domain name for SSL certificates and URL generation.
ssl_verify_mode
SSL certificate verification mode.
allowed_hosts
List of allowed hostnames. ["*"] accepts all hosts.
cors_origins
List of allowed CORS origins. ["*"] accepts all origins.
max_request_size
Maximum request body size in bytes (default 10 MB).
rate_limit
Rate limit in requests per minute.
request_timeout
Request timeout in seconds.
use_hsts
Enable HTTP Strict Transport Security when serving over HTTPS.
hsts_max_age
HSTS max-age in seconds (default 1 year).
basic_auth_user
Basic auth username. Defaults to "signalwire" when accessed via get_basic_auth().
basic_auth_password
Basic auth password. Auto-generated if not set when accessed via get_basic_auth().
Methods
Get basic authentication credentials, generating a password if not set.
Get CORS configuration suitable for FastAPI’s CORSMiddleware.
Get security headers to add to HTTP responses.
Get SSL parameters suitable for passing to uvicorn.
Get the URL scheme based on SSL configuration.
Reload all settings from environment variables.
Log the current security configuration for debugging.
Check if a host is in the allowed hosts list.
Validate that SSL configuration is complete and certificate files exist.
