Fix Security Misconfiguration in CherryPy
CherryPy's minimalist nature is its greatest weakness in production. By default, it prioritizes ease of development over security, often shipping with verbose error reporting and permissive session handling. A misconfigured CherryPy instance leaks server internals via tracebacks and leaves session cookies vulnerable to interception or script-based theft. Hardening requires a manual override of the global configuration and the application-specific toolset to enforce a 'deny-by-default' security posture.
The Vulnerable Pattern
import cherrypyclass App: @cherrypy.expose def index(self): return “Vulnerable Instance”
DANGEROUS: Tracebacks enabled, no session security, no headers
conf = { ’/’: { ‘tools.sessions.on’: True, ‘server.show_tracebacks’: True } }
if name == ‘main’: cherrypy.quickstart(App(), ’/’, conf)
The Secure Implementation
The hardening process targets three vectors: 1. Information Disclosure: Setting 'server.show_tracebacks' to False prevents the engine from dumping Python stack traces to the user on 500 errors. 2. Session Hijacking: Enabling 'httponly' prevents JavaScript from accessing the session cookie (mitigating XSS impact), while 'secure' ensures cookies are only transmitted over HTTPS. 3. Protocol Hardening: We use 'tools.response_headers' to inject mandatory security headers like CSP to prevent unauthorized script execution and HSTS to enforce encrypted connections for the next year.
import cherrypyclass App: @cherrypy.expose def index(self): return “Hardened Instance”
SECURE: Disable info leakage and enforce cookie/header security
cherrypy.config.update({ ‘server.show_tracebacks’: False, ‘server.show_screen_errors’: False, ‘response.headers.server’: ‘Web-Server’ # Obfuscate version })
conf = { ’/’: { ‘tools.sessions.on’: True, ‘tools.sessions.httponly’: True, ‘tools.sessions.secure’: True, ‘tools.sessions.timeout’: 60, ‘tools.response_headers.on’: True, ‘tools.response_headers.headers’: [ (‘Content-Security-Policy’, “default-src ‘self’”), (‘X-Frame-Options’, ‘DENY’), (‘X-Content-Type-Options’, ‘nosniff’), (‘Strict-Transport-Security’, ‘max-age=31536000; includeSubDomains’) ] } }
if name == ‘main’: cherrypy.quickstart(App(), ’/’, conf)
Your CherryPy API
might be exposed to Security Misconfiguration
74% of CherryPy apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.
Free Tier • No Credit Card • Instant Report
Verified by Ghost Labs Security Team
This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.