-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathsecurity-outro.html
87 lines (87 loc) · 5.36 KB
/
security-outro.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
<!DOCTYPE html>
<html lang="en" dir="ltr">
<head>
<title>Coast on Clojure</title>
<meta charset="utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1" />
<link href="/favicon.png" rel="icon" type="image/png">
<link rel="stylesheet" href="/bundle--6885699.css" />
</head>
<body>
<nav class="dt w-100 border-box pa3 ph5-ns">
<a class="dtc v-mid near-black link dim w-25" href="/" title="Home">
<img alt="Coast on Clojure" class="dib w2 h2 br-100" src="/favicon.png">
<span class="ml2 v-top mt2 dib near-black">Coast</span>
</a>
<div class="dtc v-mid w-75 tr">
<a class="link dim near-black f6 f5-ns dib mr3 mr4-ns" href="/docs" title="Docs">Docs</a>
<a class="link dim near-black f6 f5-ns dib mr3 mr4-ns" href="https://twitter.com/coastonclojure" title="Twitter">Twitter</a>
<a class="link dim near-black f6 f5-ns dib" href="https://github.com/coast-framework/coast" title="Github">Github</a>
</div>
</nav>
<div class="grid bg-nearest-white">
<div class="pa4 bg-nearest-white sidebar-container">
<div class="fr-l sidebar">
<h3 id="user-content-preface">Preface</h3>
<ul>
<li><a href="/docs/about">About</a></li>
<li><a href="/docs/credits">Credits</a></li>
<li><a href="/docs/upgrading">Upgrading from eta</a></li>
<li><a href="/docs/contribution">Contribution Guide</a></li>
</ul>
<h3 id="user-content-concept">Concept</h3>
<ul>
<li><a href="/docs/request-lifecycle">Request Lifecycle</a></li>
</ul>
<h3 id="user-content-getting-started">Getting Started</h3>
<ul>
<li><a href="/docs/installation">Installation</a></li>
<li><a href="/docs/configuration">Configuration</a></li>
<li><a href="/docs/directory-structure">Directory Structure</a></li>
</ul>
<h3 id="user-content-database">Database</h3>
<ul>
<li><a href="/docs/database-getting-started">Getting Started</a></li>
<li><a href="/docs/queries">Queries</a></li>
<li><a href="/docs/migrations">Migrations</a></li>
<li><a href="/docs/relationships">Relationships</a></li>
<li><a href="/docs/pull">Pull</a></li>
</ul>
<h3 id="user-content-basics">Basics</h3>
<ul>
<li><a href="/docs/routing">Routing</a></li>
<li><a href="/docs/middleware">Middleware</a></li>
<li><a href="/docs/handlers">Handlers</a></li>
<li><a href="/docs/request">Request</a></li>
<li><a href="/docs/response">Response</a></li>
<li><a href="/docs/views">Views</a></li>
<li><a href="/docs/sessions">Sessions</a></li>
<li><a href="/docs/validator">Validator</a></li>
<li><a href="/docs/error-handling">Error Handling</a></li>
<li><a href="/docs/logger">Logger</a></li>
</ul>
<h3 id="user-content-security">Security</h3>
<ul>
<li><a href="/docs/security-intro">Introduction</a></li>
<li><a href="/docs/authentication">Authentication</a></li>
<li><a href="/docs/csrf-protection">CSRF Protection</a></li>
<li><a href="/docs/password-hashing">Password Hashing</a></li>
<li><a href="/docs/security-outro">XSS, Sniffing, XFrame</a></li>
</ul>
<h3 id="user-content-miscellaneous">Miscellaneous</h3>
<ul>
<li><a href="/docs/older-versions">Older Versions</a></li>
</ul>
</div>
</div>
<div class="ph4 bg-white content">
<h1 id="user-content-xss,-sniffing,-xframe">XSS, Sniffing, XFrame</h1><p>Common security headers help ensure your web application is secure, whether you run it behind nginx or not.</p><p>Coast by default attempts to protect your web app from <em>XSS</em> attacks, unwanted <em>iframe embeds</em>, and <em>content-type sniffing</em>.</p><h3 id="user-content-xss">XSS</h3><p>Coast by default passes this to <code>app</code> which results in the header <code>X-XSS-Protection=1; mode=block</code> being sent on every response.</p><pre><code class="clojure">{:security {:xss-protection {:enable? true, :mode :block}}}
</code></pre><h3 id="user-content-no-sniff">No Sniff</h3><p>The majority of modern browsers attempt to detect the <em>Content-Type</em> of a request by sniffing its content, meaning a file ending in <em>.txt</em> could be executed as JavaScript if it contains JavaScript code.</p><p>This behavior is disabled by default with the map:</p><pre><code class="clojure">{:security {:content-type-options :nosniff}}
</code></pre><h3 id="user-content-xframe">XFrame</h3><p>Coast also makes it easy for you to control the embed behavior of your website inside an iframe.</p><p>Available options are <code>:deny</code>, <code>:same-origin</code> or <code>:allow-from [http://example.com]</code>:</p><p>The default is <code>:deny</code></p><pre><code class="clojure">{:security {:frame-options :deny}}
</code></pre>
</div>
</div>
<script type="text/javascript" src="/bundle-2017277981.js"></script>
<script>hljs.initHighlightingOnLoad();</script>
</body>
</html>