Host-facing security helpers.
stube emits its own responses, so a handful of protections live in the
kernel (unguessable cids, bounded parsing, Secure cookies, CSRF
tokens — see docs/security.md). But the response headers that
harden a page against framing, sniffing, and referrer leakage are a
host decision: only the host knows its CDN origins, analytics, and
framing policy. This namespace gives the host a baseline it can opt
into and tune.
Wrap your stube ring handler:
(-> (embed/ring-handler k {:mounts ...})
(security/wrap-defaults))
or, with a Content-Security-Policy and a tweak:
(security/wrap-defaults handler
{:csp (security/content-security-policy
{:default-src "'self'"
:script-src ["'self'" "https://cdn.jsdelivr.net"]})
:headers {"X-Frame-Options" nil}}) ; drop a default
Host-facing security helpers.
stube emits its own responses, so a handful of protections live in the
kernel (unguessable cids, bounded parsing, `Secure` cookies, CSRF
tokens — see `docs/security.md`). But the *response headers* that
harden a page against framing, sniffing, and referrer leakage are a
host decision: only the host knows its CDN origins, analytics, and
framing policy. This namespace gives the host a baseline it can opt
into and tune.
Wrap your stube ring handler:
(-> (embed/ring-handler k {:mounts ...})
(security/wrap-defaults))
or, with a Content-Security-Policy and a tweak:
(security/wrap-defaults handler
{:csp (security/content-security-policy
{:default-src "'self'"
:script-src ["'self'" "https://cdn.jsdelivr.net"]})
:headers {"X-Frame-Options" nil}}) ; drop a default(content-security-policy directives)Build a Content-Security-Policy header value from a directives
map. Keys are directive names (keyword or string); values are a
string or a sequence of source tokens.
(content-security-policy
{:default-src "'self'"
:script-src ["'self'" "https://cdn.jsdelivr.net"]
:frame-ancestors "'none'"})
;; => "default-src 'self'; script-src 'self' https://cdn.jsdelivr.net; frame-ancestors 'none'"
Note: the stube shell uses an inline data-init attribute and
Datastar uses inline data-on:* attributes, so a strict policy needs
a per-render nonce (or hash) rather than blanket unsafe-inline. See
the CSP section of docs/security.md.
Build a `Content-Security-Policy` header value from a `directives`
map. Keys are directive names (keyword or string); values are a
string or a sequence of source tokens.
(content-security-policy
{:default-src "'self'"
:script-src ["'self'" "https://cdn.jsdelivr.net"]
:frame-ancestors "'none'"})
;; => "default-src 'self'; script-src 'self' https://cdn.jsdelivr.net; frame-ancestors 'none'"
Note: the stube shell uses an inline `data-init` attribute and
Datastar uses inline `data-on:*` attributes, so a strict policy needs
a per-render nonce (or hash) rather than blanket `unsafe-inline`. See
the CSP section of `docs/security.md`.Baseline security response headers wrap-defaults adds.
X-Content-Type-Options: nosniff — no MIME sniffing.Referrer-Policy: same-origin — don't leak the cid in a referer.X-Frame-Options: SAMEORIGIN — block cross-origin framing (relevant
because a clickjacked GET can mint a conversation). Supersede with
a CSP frame-ancestors directive if you need finer control.Cross-Origin-Opener-Policy: same-origin — isolate the browsing
context group.Permissions-Policy — deny powerful features by default.Baseline security response headers [[wrap-defaults]] adds. - `X-Content-Type-Options: nosniff` — no MIME sniffing. - `Referrer-Policy: same-origin` — don't leak the cid in a referer. - `X-Frame-Options: SAMEORIGIN` — block cross-origin framing (relevant because a clickjacked GET can mint a conversation). Supersede with a CSP `frame-ancestors` directive if you need finer control. - `Cross-Origin-Opener-Policy: same-origin` — isolate the browsing context group. - `Permissions-Policy` — deny powerful features by default.
(wrap-defaults handler)(wrap-defaults handler {:keys [headers csp]})Ring middleware that adds default-headers (and an optional CSP) to
every response, without overwriting headers the handler already set.
Options:
:headers — a map merged over default-headers. A value of
nil removes that default (e.g. {"X-Frame-Options" nil} when
you drive framing through a CSP frame-ancestors instead).:csp — a Content-Security-Policy value (see
content-security-policy).Works for both synchronous (1-arg) and asynchronous (3-arg) Ring handlers.
Ring middleware that adds [[default-headers]] (and an optional CSP) to
every response, without overwriting headers the handler already set.
Options:
- `:headers` — a map merged over [[default-headers]]. A value of
`nil` *removes* that default (e.g. `{"X-Frame-Options" nil}` when
you drive framing through a CSP `frame-ancestors` instead).
- `:csp` — a `Content-Security-Policy` value (see
[[content-security-policy]]).
Works for both synchronous (1-arg) and asynchronous (3-arg) Ring
handlers.cljdoc builds & hosts documentation for Clojure/Script libraries
| Ctrl+k | Jump to recent docs |
| ← | Move to previous article |
| → | Move to next article |
| Ctrl+/ | Jump to the search field |