Liking cljdoc? Tell your friends :D

Zodiac Headers

A Zodiac extension for adding secure HTTP headers to your application.

Installation

com.github.brettatoms/zodiac-headers {:mvn/version "0.1.0"}

Quick Start

(ns myapp
  (:require [zodiac.core :as z]
            [zodiac.ext.headers :as headers]))

(def routes
  ["/" {:get (fn [_] {:status 200 :body "Hello!"})}])

;; Uses the 'web' preset by default
(z/start {:routes routes
          :extensions [(headers/init)]})

Presets

Five presets are provided based on OWASP recommendations:

`web` (default)

Standard web application headers:

(headers/init {:headers headers/web})

X-Content-Type-Options: nosniff
X-Frame-Options: DENY
Referrer-Policy: strict-origin-when-cross-origin
Content-Security-Policy: default-src 'self'
Permissions-Policy: geolocation=(), camera=(), microphone=()
Cross-Origin-Opener-Policy: same-origin

`secure-web`

Web headers + HSTS for HTTPS:

(headers/init {:headers headers/secure-web})

Adds: Strict-Transport-Security: max-age=63072000; includeSubDomains

`api`

Minimal headers for JSON APIs:

(headers/init {:headers headers/api})

X-Content-Type-Options: nosniff
Referrer-Policy: strict-origin-when-cross-origin

`secure-api`

API headers + HSTS:

(headers/init {:headers headers/secure-api})

`strict`

Maximum security headers:

(headers/init {:headers headers/strict})

Includes all security headers plus header removal (Server, X-Powered-By).

Customization

Presets are just maps. Use standard Clojure functions to customize:

Add a header

(headers/init {:headers (assoc headers/web
                               :strict-transport-security "max-age=31536000")})

Remove a header

(headers/init {:headers (dissoc headers/web :x-frame-options)})

Override a header value

(headers/init {:headers (assoc headers/web
                               :x-frame-options "SAMEORIGIN")})

Merge presets

(headers/init {:headers (merge headers/api
                               {:content-security-policy "default-src 'none'"})})

Build from scratch

(headers/init {:headers {:x-content-type-options "nosniff"
                         :referrer-policy "no-referrer"}})

Remove server headers

Use :remove as the value to strip headers from responses:

(headers/init {:headers {:x-content-type-options "nosniff"
                         :server :remove
                         :x-powered-by :remove}})

Security Notes

Content-Security-Policy: The default default-src 'self' is a starting point. Most apps need customization.
HSTS: Only use secure-web or secure-api if your site is fully HTTPS. HSTS can break local development.
X-Frame-Options: Set to DENY by default. Use SAMEORIGIN if you need to embed your app in iframes on the same domain.

References

License

MIT License - see LICENSE

Can you improve this documentation?Edit on GitHub

cljdoc builds & hosts documentation for Clojure/Script libraries

Keyboard shortcuts

`Ctrl`+`k`	Jump to recent docs
`←`	Move to previous article
`→`	Move to next article
`Ctrl`+`/`	Jump to the search field

Raise an issue Browse cljdoc source Chat on Slack

× close