{:access-control
{:allow-origin "*"
:allow-credentials false
:expose-headers #{"X-Custom"}
:allow-methods #{:get :post}
:allow-headers ["Api-Key"]
}}
Built into the library, yada offers a complete standards-based set of security features for today’s secure applications and content delivery.
yada fully supports Cross-Origin Resource Sharing (CORS) allowing you to provide APIs that are accessible from other origins.
For example, you may be creating an API that you wish other websites to make use of, by allowing browsers visiting those websites access to your API.
CORS is specified in the :access-control
section of the
resource-model.
{:access-control
{:allow-origin "*"
:allow-credentials false
:expose-headers #{"X-Custom"}
:allow-methods #{:get :post}
:allow-headers ["Api-Key"]
}}
With the exception of :allow-credentials
(which must be a boolean),
any of the values can be declared as single-arity functions, which are
called with the request-context as an argument to determine the value
for the corresponding response header.
clojure {:strict-transport-security {:max-age 12000}}
Defaults to a maximum age of 31536000.
The HSTS header is only set if the scheme is HTTPS or the service is
behind a proxy (determined by the presence of the X-Forwarded-For
request header).
{:content-security-policy "url-src"}
Defaults to default-src https: data: 'unsafe-inline' 'unsafe-eval'
.
A browser’s iframe can be used for 'click-jacking'. By default yada
tells browsers not to allow this. The default value is SAMEORIGIN
,
unless you override it in the resource-model.
{:x-frame-options "NONE"}
yada also sets the X-Xss-Protection
response header to
1; mode=block
. This can be overridden in the resource model.
{:x-content-type-options "0"}
By default, yada sets the X-Content-Type-Options
response header to
nosniff
. This tells browsers not to try to attempt to determine the
content-type of the response body.
Since yada sets the Content-Type
header according to HTTP standards,
there should never be a need for a browser to 'sniff' the response body
for this information, preventing an attack that might exploit some
vulnerability in this process.
Can you improve this documentation? These fine people already did:
Malcolm Sparks, Daniel Compton & nhaEdit on GitHub
cljdoc is a website building & hosting documentation for Clojure/Script libraries
× close