catacumba.handlers.security

Liking cljdoc? Tell your friends :D

Clojure only.

content-type-options-headers
csp-headers
csrf-protect
frame-options-headers
hsts-headers

content-type-options-headers^clj

(content-type-options-headers context)

A chain handler that adds the X-Content-Type-Options header to the response. It prevent resources with invalid media types being loaded as stylesheets or scripts.

This does not have any option.

More information: http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx https://www.owasp.org/index.php/List_of_useful_HTTP_headers

A chain handler that adds the `X-Content-Type-Options` header to
the response. It prevent resources with invalid media types being
loaded as stylesheets or scripts.

This does not have any option.

More information:
http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx
https://www.owasp.org/index.php/List_of_useful_HTTP_headers

source raw docstring

csp-headers^clj

(csp-headers)

(csp-headers options)

A chain handler that adds Content-Security-Policy header to the response.

Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware.

Example:

(def cspconf {:default-src "'self' *.trusted.com"
              :img-src "*"
              :frame-ancestors "'none'"
              :reflected-xss "filter"})

(def app
  (ct/routes [[:prefix "web"
               [:all (csp-headers cspconf)]
               [:get your-handler]]]))

You can read more about that here: https://developer.mozilla.org/en-US/docs/Web/Security/CSP

A chain handler that adds Content-Security-Policy header to the response.

Content Security Policy (CSP) is an added layer of security that helps to
detect and mitigate certain types of attacks, including Cross Site Scripting
(XSS) and data injection attacks. These attacks are used for everything from
data theft to site defacement or distribution of malware.

Example:

    (def cspconf {:default-src "'self' *.trusted.com"
                  :img-src "*"
                  :frame-ancestors "'none'"
                  :reflected-xss "filter"})

    (def app
      (ct/routes [[:prefix "web"
                   [:all (csp-headers cspconf)]
                   [:get your-handler]]]))

You can read more about that here:
https://developer.mozilla.org/en-US/docs/Web/Security/CSP

source raw docstring

csrf-protect^clj

(csrf-protect)

(csrf-protect
  {:keys [on-error cookie-name field-name header-name]
   :or {header-name :x-csrftoken field-name :csrftoken cookie-name :csrftoken}})

A chain handler that provides csrf (Cross-site request forgery) protection. Also known as a one-click attack or session riding.

A chain handler that provides csrf (Cross-site request forgery)
protection. Also known as a one-click attack or session riding.

source raw docstring

frame-options-headers^clj

(frame-options-headers)

(frame-options-headers {:keys [policy] :or {policy :sameorigin}})

A chain handler that adds X-Frame-Options header to the response.

The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe> or <object> . Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.

Possible options:

:policy: with two possible values :deny and :sameorigin

Warning: The frame-ancestors directive from the CSP Level 2 specification officially replaces this non-standard header.

A chain handler that adds X-Frame-Options header to the response.

The X-Frame-Options HTTP response header can be used to indicate
whether or not a browser should be allowed to render a page in a `<frame>`,
`<iframe>` or `<object>` . Sites can use this to avoid clickjacking attacks,
by ensuring that their content is not embedded into other sites.

Possible options:

- `:policy`: with two possible values `:deny` and `:sameorigin`

Warning: The frame-ancestors directive from the CSP Level 2 specification
officially replaces this non-standard header.

source raw docstring

hsts-headers^clj

(hsts-headers)

(hsts-headers {:keys [max-age subdomains]
               :or {max-age 31536000 subdomains true}})

A chain handler that adds the Strict-Transport-Security header to the response. This accepts the following params:

max-age: the max time in seconds for the policy (default: 1 year)
subdomains: include subdomains or not (default true)

For more information, see the following rfc: https://tools.ietf.org/html/rfc6797

A chain handler that adds the Strict-Transport-Security
header to the response. This accepts the following params:

- `max-age`: the max time in seconds for the policy (default: 1 year)
- `subdomains`: include subdomains or not (default true)

For more information, see the following rfc: https://tools.ietf.org/html/rfc6797

source raw docstring

cljdoc is a website building & hosting documentation for Clojure/Script libraries

Keyboard shortcuts Report a problem cljdoc on GitHub

× close