***

title: SecurityConfig
slug: /reference/python/agents/configuration/security-config
description: Unified security configuration for SSL, CORS, host allowlists, and rate limiting.
max-toc-depth: 3
---------------------

For a complete index of all SignalWire documentation pages, fetch https://signalwire.com/docs/llms.txt

[getbasicauth]: /docs/server-sdks/reference/python/agents/configuration/security-config/get-basic-auth

[getcorsconfig]: /docs/server-sdks/reference/python/agents/configuration/security-config/get-cors-config

[getsecurityheaders]: /docs/server-sdks/reference/python/agents/configuration/security-config/get-security-headers

[getsslcontextkwargs]: /docs/server-sdks/reference/python/agents/configuration/security-config/get-ssl-context-kwargs

[geturlscheme]: /docs/server-sdks/reference/python/agents/configuration/security-config/get-url-scheme

[loadfromenv]: /docs/server-sdks/reference/python/agents/configuration/security-config/load-from-env

[logconfig]: /docs/server-sdks/reference/python/agents/configuration/security-config/log-config

[shouldallowhost]: /docs/server-sdks/reference/python/agents/configuration/security-config/should-allow-host

[validatesslconfig]: /docs/server-sdks/reference/python/agents/configuration/security-config/validate-ssl-config

`SecurityConfig` provides centralized security settings for all SignalWire
services. It loads settings from environment variables and optional config files,
handling SSL/TLS, CORS, host allowlists, rate limiting, HSTS, and basic
authentication credentials.

```python
from signalwire.core.security_config import SecurityConfig
```

A global default instance is available at `signalwire.core.security_config.security_config`
for backward compatibility. Services can create their own instances with
service-specific config files.

## **Properties**

<ParamField path="ssl_enabled" type="bool" default="false" toc={true}>
  Whether HTTPS is enabled.
</ParamField>

<ParamField path="ssl_cert_path" type="Optional[str]" toc={true}>
  Path to the SSL certificate file. Required when `ssl_enabled` is `True`.
</ParamField>

<ParamField path="ssl_key_path" type="Optional[str]" toc={true}>
  Path to the SSL private key file. Required when `ssl_enabled` is `True`.
</ParamField>

<ParamField path="domain" type="Optional[str]" toc={true}>
  Domain name for SSL certificates and URL generation.
</ParamField>

<ParamField path="ssl_verify_mode" type="str" default="CERT_REQUIRED" toc={true}>
  SSL certificate verification mode.
</ParamField>

<ParamField path="allowed_hosts" type="list[str]" default="[&#x22;*&#x22;]" toc={true}>
  List of allowed hostnames. `["*"]` accepts all hosts.
</ParamField>

<ParamField path="cors_origins" type="list[str]" default="[&#x22;*&#x22;]" toc={true}>
  List of allowed CORS origins. `["*"]` accepts all origins.
</ParamField>

<ParamField path="max_request_size" type="int" default="10485760" toc={true}>
  Maximum request body size in bytes (default 10 MB).
</ParamField>

<ParamField path="rate_limit" type="int" default="60" toc={true}>
  Rate limit in requests per minute.
</ParamField>

<ParamField path="request_timeout" type="int" default="30" toc={true}>
  Request timeout in seconds.
</ParamField>

<ParamField path="use_hsts" type="bool" default="true" toc={true}>
  Enable HTTP Strict Transport Security when serving over HTTPS.
</ParamField>

<ParamField path="hsts_max_age" type="int" default="31536000" toc={true}>
  HSTS `max-age` in seconds (default 1 year).
</ParamField>

<ParamField path="basic_auth_user" type="Optional[str]" toc={true}>
  Basic auth username. Defaults to `"signalwire"` when accessed via `get_basic_auth()`.
</ParamField>

<ParamField path="basic_auth_password" type="Optional[str]" toc={true}>
  Basic auth password. Auto-generated if not set when accessed via `get_basic_auth()`.
</ParamField>

## **Methods**

<CardGroup cols={3}>
  <Card title="get_basic_auth" href="/docs/server-sdks/reference/python/agents/configuration/security-config/get-basic-auth">
    Get basic authentication credentials, generating a password if not set.
  </Card>

  <Card title="get_cors_config" href="/docs/server-sdks/reference/python/agents/configuration/security-config/get-cors-config">
    Get CORS configuration suitable for FastAPI's CORSMiddleware.
  </Card>

  <Card title="get_security_headers" href="/docs/server-sdks/reference/python/agents/configuration/security-config/get-security-headers">
    Get security headers to add to HTTP responses.
  </Card>

  <Card title="get_ssl_context_kwargs" href="/docs/server-sdks/reference/python/agents/configuration/security-config/get-ssl-context-kwargs">
    Get SSL parameters suitable for passing to uvicorn.
  </Card>

  <Card title="get_url_scheme" href="/docs/server-sdks/reference/python/agents/configuration/security-config/get-url-scheme">
    Get the URL scheme based on SSL configuration.
  </Card>

  <Card title="load_from_env" href="/docs/server-sdks/reference/python/agents/configuration/security-config/load-from-env">
    Reload all settings from environment variables.
  </Card>

  <Card title="log_config" href="/docs/server-sdks/reference/python/agents/configuration/security-config/log-config">
    Log the current security configuration for debugging.
  </Card>

  <Card title="should_allow_host" href="/docs/server-sdks/reference/python/agents/configuration/security-config/should-allow-host">
    Check if a host is in the allowed hosts list.
  </Card>

  <Card title="validate_ssl_config" href="/docs/server-sdks/reference/python/agents/configuration/security-config/validate-ssl-config">
    Validate that SSL configuration is complete and certificate files exist.
  </Card>
</CardGroup>

## **Example**

```python {4,8,11}
from signalwire.core.security_config import SecurityConfig

# Auto-discover config file
security = SecurityConfig()
print(f"SSL: {security.ssl_enabled}, HSTS: {security.use_hsts}")

# Explicit config file
security = SecurityConfig(config_file="/etc/myapp/config.json")

# Service-specific config
security = SecurityConfig(service_name="mcp")
```