Liking cljdoc? Tell your friends :D

strojure.web-security.csp

Content Security Policy (CSP).

See https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP.

Content Security Policy (CSP).

See https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP.
raw docstring

header-nameclj

(header-name)
(header-name report-only)

Returns CSP header name, normal one or report-only if report-only is true. Without argument returns normal header name.

Returns CSP header name, normal one or report-only if `report-only` is true.
Without argument returns normal header name.
sourceraw docstring

header-value-fnclj

(header-value-fn policy)

The returned function takes a policy map and returns a content policy header value. If the policy map contains :nonce in directive values, the returned function is a 1-arity function (fn [nonce] policy-header), otherwise it is a 0-arity function.

The keys in the policy map represent directive names, and can be:

  • string, which is taken as is
  • keyword, which are converted to string using name
  • other type which implements as-directive-name of csp-impl/PolicyRender protocol

The values in the policy map represent directive values, and can be:

  • string, which is taken as is
  • keyword
    • the special :nonce keyword is a placeholder for the value of nonce
    • other keywords are converted to single quoted string using name
  • collection, where elements are rendered as directive values and separated with space.
  • other type which implements write-directive-value of csp-impl/PolicyRender protocol

Example:

(def nonce-policy
  (csp/header-value-fn {"script-src" :nonce
                        "img-src" "*"}))

(nonce-policy "MY-NONCE")
:=> "script-src 'nonce-MY-NONCE'; img-src *"

(def static-policy
  (csp/header-value-fn {:default-src ["https:"
                                      :unsafe-eval
                                      :unsafe-inline]
                        :object-src :none})

(static-policy)
:=> "default-src https: 'unsafe-eval' 'unsafe-inline'; object-src 'none'"

CSP header values can be tested online:

The returned function takes a `policy` map and returns a content policy
header value. If the policy map contains `:nonce` in directive values, the
returned function is a 1-arity function `(fn [nonce] policy-header)`,
otherwise it is a 0-arity function.

The keys in the policy map represent directive names, and can be:

- string, which is taken as is
- keyword, which are converted to string using `name`
- other type which implements `as-directive-name` of [[csp-impl/PolicyRender]]
  protocol

The values in the policy map represent directive values, and can be:

- string, which is taken as is
- keyword
    - the special `:nonce` keyword is a placeholder for the value of nonce
    - other keywords are converted to single quoted string using `name`
- collection, where elements are rendered as directive values and
  separated with space.
- other type which implements `write-directive-value` of
  [[csp-impl/PolicyRender]] protocol

Example:

    (def nonce-policy
      (csp/header-value-fn {"script-src" :nonce
                            "img-src" "*"}))

    (nonce-policy "MY-NONCE")
    :=> "script-src 'nonce-MY-NONCE'; img-src *"

    (def static-policy
      (csp/header-value-fn {:default-src ["https:"
                                          :unsafe-eval
                                          :unsafe-inline]
                            :object-src :none})

    (static-policy)
    :=> "default-src https: 'unsafe-eval' 'unsafe-inline'; object-src 'none'"

CSP header values can be tested online:

- [CSP Evaluator](https://csp-evaluator.withgoogle.com/).
- [The Mozilla Observatory](https://observatory.mozilla.org/).
sourceraw docstring

random-nonce-fnclj

(random-nonce-fn)
(random-nonce-fn random)

Returns unique random 144 bit string (24 chars) to be used as CSP nonce in HTTP response. Uses java.security SecureRandom or provided optional instance of java.util.Random to generate random bytes.

Example:

(def random-nonce (csp/random-nonce-fn))

(random-nonce) :=> "iqkOHbaBPnGT6vC73ph89/G3"
;             Execution time mean : 1.042166 µs
;    Execution time std-deviation : 30.633099 ns
;   Execution time lower quantile : 1.009274 µs ( 2.5%)
;   Execution time upper quantile : 1.087203 µs (97.5%)

See also Using a nonce with CSP.

Returns unique random 144 bit string (24 chars) to be used as CSP nonce in
HTTP response. Uses `java.security SecureRandom` or provided optional instance
of `java.util.Random` to generate random bytes.

Example:

    (def random-nonce (csp/random-nonce-fn))

    (random-nonce) :=> "iqkOHbaBPnGT6vC73ph89/G3"
    ;             Execution time mean : 1.042166 µs
    ;    Execution time std-deviation : 30.633099 ns
    ;   Execution time lower quantile : 1.009274 µs ( 2.5%)
    ;   Execution time upper quantile : 1.087203 µs (97.5%)

See also [Using a nonce with CSP](https://content-security-policy.com/nonce/).
sourceraw docstring

requires-nonce?clj

(requires-nonce? f)

True if result of the header-value-fn requires nonce argument.

True if result of the [[header-value-fn]] requires nonce argument.
sourceraw docstring

cljdoc is a website building & hosting documentation for Clojure/Script libraries

× close