ring-secure-headers

Help secure your Ring apps by setting various HTTP headers. It’s not a silver bullet, but it can help! Inspired by Helmet for Node.js.

Usage

ring-secure-headers is made up of several Ring middleware. You can learn more about this on the Ring wiki.

DNS Prefetch Control

This middleware lets you disable browsers’ DNS prefetching by setting the X-DNS-Prefetch-Control header. For more info, see the Helmet documentation.

(require '[ring-secure-headers.core :refer [dns-prefetch-control]])

; Sets X-DNS-Prefetch-Control: off
(dns-prefetch-control my-handler)
(dns-prefetch-control my-handler {:allow? false})

; Sets X-DNS-Prefetch-Control: on
(dns-prefetch-control my-handler {:allow? true})

Don't Sniff Mimetype

This middleware helps prevent browsers from trying to guess ("sniff") the MIME type, which can have security implications. It does this by setting the X-Content-Type-Options header to nosniff. See the Helmet docs for further explanation.

(require '[ring-secure-headers.core :refer [nosniff]])

; Sets X-Content-Type-Options: nosniff
(nosniff my-handler)

Expect-CT

The Expect-CT HTTP header tells browsers to expect Certificate Transparency. For more about Certificate Transparency and this header, see this blog post and the in-progress spec.

(require '[ring-secure-headers.core :refer [expect-ct]])

; Sets Expect-CT: max-age=123
(expect-ct my-handler {:max-age 123})

; Sets Expect-CT: enforce; max-age=123
(expect-ct my-handler {:max-age 123
                       :enforce? true})

; Sets Expect-CT: enforce; max-age=30; report-uri="https://example.com/report"
(expect-ct my-handler {:max-age 30
                       :enforce? true
                       :report-uri "https://example.com/report"})

Frameguard

Frameguard mitigates clickjacking attacks by setting the X-Frame-Options header. See the Helmet docs for more.

(require '[ring-secure-headers.core :refer [frameguard]])

; Don't allow me to be in ANY frames.
; Sets X-Frame-Options: DENY
(frameguard my-handler {:action :deny})

; Only let me be framed by people of the same origin.
; Sets X-Frame-Options: SAMEORIGIN
(frameguard my-handler {:action :same-origin})
(frameguard my-handler)  ; defaults to :same-origin

; Allow from a specific host.
; Sets X-Frame-Options: ALLOW-FROM https://example.com
(frameguard my-handler {:action :allow-from
                        :domain "https://example.com"})

HPKP

The Public-Key-Pins header helps keep your users on secure HTTPS. For more, see the Helmet docs.

(require '[ring-secure-headers.core :refer [hpkp]])

; Sets Public-Key-Pins: pin-sha256="AbCdEf123="; pin-sha256="ZyXwVu456="; max-age: 123
(hpkp my-handler {:max-age 123
                  :sha256s ["AbCdEf123=", "ZyXwVu456="]})

; Sets Public-Key-Pins: pin-sha256=...; includeSubDomains
(hpkp my-handler {:max-age 123
                  :sha256s ["AbCdEf123=", "ZyXwVu456="]
                  :include-subdomains? true})

; Sets Public-Key-Pins: pin-sha256=...; report-uri="https://example.com/report"
(hpkp my-handler {:max-age nintey-days-in-seconds
                  :sha256s ["AbCdEf123=", "ZyXwVu456="]
                  :report-uri "https://example.com/report"})

; Sets Public-Key-Pins-Report-Only: pin-sha256=...; report-uri="https://example.com/report"
(hpkp my-handler {:max-age nintey-days-in-seconds
                  :sha256s ["AbCdEf123=", "ZyXwVu456="]
                  :report-uri "https://example.com/report"
                  :report-only? true})

IE No Open

This middleware sets the X-Download-Options to prevent Internet Explorer from executing downloads in your site’s context. See the Helmet docs for more.

(require '[ring-secure-headers.core :refer [ie-no-open]])

; Sets X-Download-Options: noopen
(ie-no-open my-handler)

XSS Filter

The xss-filter middleware sets the X-XSS-Protection header to prevent reflected XSS attacks. See the Helmet docs for a more detailed description.

(require '[ring-secure-headers.core :refer [xss-filter]])

; Sets X-XSS-Protection: 1; mode=block
(xss-filter my-handler)

; Force the header to be set on old versions of Internet Explorer, which can have other security risks
(xss-filter my-handler {:force-on-old-ie? true})

License

Distributed under the Unlicense either version 0.1.0 and later.

Name		Name	Last commit message	Last commit date
Latest commit History 22 Commits
src/ring_secure_headers		src/ring_secure_headers
test/ring_secure_headers		test/ring_secure_headers
.gitignore		.gitignore
CHANGELOG.md		CHANGELOG.md
LICENSE		LICENSE
README.md		README.md
project.clj		project.clj

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

ring-secure-headers

Usage

DNS Prefetch Control

Don't Sniff Mimetype

Expect-CT

Frameguard

HPKP

IE No Open

XSS Filter

License

About

Uh oh!

Releases

Packages

Uh oh!

Contributors

Uh oh!

Languages

Folders and files

Latest commit

History

Repository files navigation

ring-secure-headers

Usage

DNS Prefetch Control

Don't Sniff Mimetype

Expect-CT

Frameguard

HPKP

IE No Open

XSS Filter

License

About

Resources

License

Uh oh!

Stars

Watchers

Forks

Releases

Packages 0

Uh oh!

Contributors

Uh oh!

Languages

Packages