class Helmet::FrameGuardHandler

Overview

When your webpage can be put in a frame (like an iframe), you can be vulnerable to a kind of attack called clickjacking, where your page is invisible on another page but is being interacted with.

The X-Frame-Options HTTP header restricts who can put your site in a frame. It has three modes: DENY, SAMEORIGIN, and ALLOW-FROM.

Allow this page to be put in frames on the same origin

You can specify this explicitly:

sameorigin = Helmet::FrameGuardHandler::Origin::Same
server = HTTP::Server.new("0.0.0.0", 8080, [
  Helmet::FrameGuardHandler.new allow_from: sameorigin,
  # ...
])

It's also the default:

server = HTTP::Server.new("0.0.0.0", 8080, [
  Helmet::FrameGuardHandler.new,
  # ...
])

Don't allow this page to be put in frames (from anywhere)

nowhere = Helmet::FrameGuardHandler::Origin::Nowhere
server = HTTP::Server.new("0.0.0.0", 8080, [
  Helmet::FrameGuardHandler.new allow_from: nowhere,
])

Allow this page to be framed by a specific origin

server = HTTP::Server.new("0.0.0.0", 8080, [
  Helmet::FrameGuardHandler.new allow_from: "http://example.com",
  # ...
])

Included Modules

Defined in:

helmet/frameguardhandler.cr

Constructors

Instance Method Summary

Constructor Detail

def self.new(allow_from = Origin::Same) #

[View source]

Instance Method Detail

def call(context : HTTP::Server::Context) #

[View source]