strojure.ring-lib.middleware.csp
Ring middleware to add CSP header in response.
Ring middleware to add [CSP] header in response. [CSP]: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
report-uri-defaultclj
Default value of the CSP report URI.
Default value of the CSP report URI.
wrap-cspclj
(wrap-csp handler {:keys [policy report-only random-nonce-fn report-callback]})Adds CSP header in ring response. If header uses nonce then :csp-nonce
key is being added in ring request to be used in response body.
Configuration params:
-
:policy– a map of directive names (string, keyword) and directive values (string, keyword, collection of strings and keywords)- The
:noncekeyword in directive values represents nonce placeholder
- The
-
:report-only– optional boolean flag if report-only CSP header name should be used. -
:random-nonce-fn– optional 0-arity function to generate nonce for every request. -
:report-callback– a function(fn callback [request] ...)to handlereport-uridirective.- When presented then handler is wrapped with
wrap-report-uri. - If policy map does not have
report-uridirective then it is added with default value "/csp-report".
- When presented then handler is wrapped with
Static header example:
(def -handler (-> (fn [_] {}) (wrap-csp {:policy {:default-src :none}})))
(-handler {})
:=> {:headers {"Content-Security-Policy" "default-src 'none'"}}
Example header with nonce:
(def -handler (-> (fn [_] {}) (wrap-csp {:policy {:script-src :nonce}})))
(-handler {})
:=> {:headers {"Content-Security-Policy" "script-src 'nonce-k6JADK2qxoFO4bfKnZI0vyZv'"}}
Adds [CSP] header in ring response. If header uses nonce then `:csp-nonce`
key is being added in ring request to be used in response body.
[CSP]: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
Configuration params:
- `:policy` – a map of directive names (string, keyword) and directive values
(string, keyword, collection of strings and keywords)
+ The `:nonce` keyword in directive values represents nonce placeholder
- `:report-only` – optional boolean flag if report-only CSP header name should
be used.
- `:random-nonce-fn` – optional 0-arity function to generate nonce for every
request.
- `:report-callback` – a function `(fn callback [request] ...)` to handle
`report-uri` directive.
+ When presented then handler is wrapped with [[wrap-report-uri]].
+ If policy map does not have `report-uri` directive then it is added with
default value "/csp-report".
Static header example:
(def -handler (-> (fn [_] {}) (wrap-csp {:policy {:default-src :none}})))
(-handler {})
:=> {:headers {"Content-Security-Policy" "default-src 'none'"}}
Example header with nonce:
(def -handler (-> (fn [_] {}) (wrap-csp {:policy {:script-src :nonce}})))
(-handler {})
:=> {:headers {"Content-Security-Policy" "script-src 'nonce-k6JADK2qxoFO4bfKnZI0vyZv'"}}
wrap-report-uriclj
(wrap-report-uri handler {:keys [report-callback report-uri]})Handles CSP report URI and invokes :report-callback function with ring
request as argument. Respond with {:status 200}. Used by wrap-csp when
:report-callback option is defined.
Configuration params:
-
:report-callback– a function(fn callback [request] ...).- Required.
- Invoked when request
:uriis report URI - Callback should read CSP report JSON from the request
:bodystream itself. - The return value is ignored.
-
:report-uri– a string with request:urito match for.- Exact value is matched.
- Default value is "/csp-report".
Handles CSP report URI and invokes `:report-callback` function with ring
request as argument. Respond with `{:status 200}`. Used by [[wrap-csp]] when
`:report-callback` option is defined.
Configuration params:
- `:report-callback` – a function `(fn callback [request] ...)`.
+ Required.
+ Invoked when request `:uri` is report URI
+ Callback should read CSP report JSON from the request `:body` stream
itself.
+ The return value is ignored.
- `:report-uri` – a string with request `:uri` to match for.
+ Exact value is matched.
+ Default value is "/csp-report".
cljdoc is a website building & hosting documentation for Clojure/Script libraries
× close