# Auth Hardening

URL: /docs/guides/auth-hardening/
Section: guides
Tags: auth, security, hardening

--------------------------------------------------------------------------------

Production Checklist Use this checklist before shipping paid or user-data-heavy applications. 1) Session and Cookies Set a strong CHIRP_SECRET_KEY from environment. Use SessionConfig(secure=True, httponly=True, samesite=&quot;lax&quot;) in production. Enable idle_timeout_seconds and absolute_timeout_seconds for session lifecycle control. Use AuthConfig(session_version=...) to invalidate stale sessions after password reset/account events. 2) CSRF and Forms Register middleware in order: SessionMiddleware AuthMiddleware CSRFMiddleware Include &#123;&#123; csrf_field() &#125;&#125; in all unsafe forms. Keep CSRFMiddleware enabled for cookie-authenticated routes. 3) Authorization Use @login_required and @requires(...) for route-level checks. Add policy= callbacks for object-level ownership checks. Return 403 for unauthorized resources without leaking policy details. 4) Abuse Protection Add AuthRateLimitMiddleware for login/reset endpoints. Add lockout/backoff with LoginLockout in login handlers. Monitor repeated failures and blocked attempts with audit events. 5) Browser Security Headers Enable SecurityHeadersMiddleware. Configure a strict Content-Security-Policy. Configure Strict-Transport-Security when serving over HTTPS. Keep X-Frame-Options, X-Content-Type-Options, and Referrer-Policy defaults unless you have a reason to change them. 6) Password and Secrets Prefer argon2 (pip install bengal-chirp[auth]) in production. Use password reset and session version rotation on credential changes. Never commit secrets; rotate periodically. 7) Audit and Operations Register a sink via set_security_event_sink(...). Alert on spikes in: auth.token.invalid csrf.reject.* authz.permission.denied Keep backups and incident runbooks for account takeover response. Minimal Hardened Setup from chirp.middleware import ( AuthRateLimitConfig, AuthRateLimitMiddleware, CSRFMiddleware, SecurityHeadersConfig, SecurityHeadersMiddleware, SessionConfig, SessionMiddleware, ) app.add_middleware( SessionMiddleware( SessionConfig( secret_key=secret, secure=True, httponly=True, samesite=&quot;lax&quot;, idle_timeout_seconds=1800, absolute_timeout_seconds=86400, ) ) ) app.add_middleware(AuthRateLimitMiddleware(AuthRateLimitConfig(paths=(&quot;/login&quot;, &quot;/password-reset&quot;)))) app.add_middleware(CSRFMiddleware()) app.add_middleware( SecurityHeadersMiddleware( SecurityHeadersConfig( content_security_policy=&quot;default-src &#x27;self&#x27;; frame-ancestors &#x27;none&#x27;; object-src &#x27;none&#x27;&quot;, strict_transport_security=&quot;max-age=63072000; includeSubDomains&quot;, ) ) )

--------------------------------------------------------------------------------

Metadata:
- Word Count: 244
- Reading Time: 1 minutes