Using ASGI middleware to keep security headers consistent across services

[cak]

One thing I’ve run into across ASGI services is how easy it is for HTTP security headers to diverge over time.

Different apps, slightly different middleware, small CSP changes that never get reconciled.

What’s been working better is treating headers as a policy that lives outside the app, and applying it once at the ASGI layer:

from secure import Secure
from secure.middleware import SecureASGIMiddleware
from starlette.applications import Starlette

secure_headers = Secure.with_default_headers()

app = Starlette()
app.add_middleware(SecureASGIMiddleware, secure=secure_headers)

The benefit is less about Starlette itself and more about the ASGI boundary:

• same policy works across Starlette, FastAPI, and other ASGI apps
• avoids per-route or per-endpoint drift
• makes header behavior explicit and portable

This has been especially useful in environments with multiple small services rather than one large app.

If useful, I put the pattern into a small library:
https://github.com/TypeError/secure

Interested if others are handling this at the ASGI layer or pushing it down into app logic.