class Helmet::FrameGuardHandler

Helmet::FrameGuardHandler
Reference
Object

Overview

When your webpage can be put in a frame (like an iframe), you can be vulnerable to a kind of attack called clickjacking, where your page is invisible on another page but is being interacted with.

The X-Frame-Options HTTP header restricts who can put your site in a frame. It has three modes: DENY, SAMEORIGIN, and ALLOW-FROM.

DENY will prevent anyone from rendering this page in a frame.
SAMEORIGIN will only allow pages on the same origin to put this page in a frame. For example, if this header were set on http://example.com/about.html then http://example.com/store.html could render it, but http://evanhahn.com/store.html could not.
ALLOW-FROM lets you specify a specific origin that is allowed to put this page in frames.

Allow this page to be put in frames on the same origin

You can specify this explicitly:

sameorigin = Helmet::FrameGuardHandler::Origin::Same
server = HTTP::Server.new("0.0.0.0", 8080, [
  Helmet::FrameGuardHandler.new allow_from: sameorigin,
  # ...
])

It's also the default:

server = HTTP::Server.new("0.0.0.0", 8080, [
  Helmet::FrameGuardHandler.new,
  # ...
])

Don't allow this page to be put in frames (from anywhere)

nowhere = Helmet::FrameGuardHandler::Origin::Nowhere
server = HTTP::Server.new("0.0.0.0", 8080, [
  Helmet::FrameGuardHandler.new allow_from: nowhere,
])

Allow this page to be framed by a specific origin

server = HTTP::Server.new("0.0.0.0", 8080, [
  Helmet::FrameGuardHandler.new allow_from: "http://example.com",
  # ...
])

Included Modules

HTTP::Handler

Defined in:

helmet/frameguardhandler.cr

Constructors

.new(allow_from = Origin::Same)

Instance Method Summary

#call(context : HTTP::Server::Context)

Constructor Detail

def self.new(allow_from = Origin::Same) #

[View source]

Instance Method Detail

def call(context : HTTP::Server::Context) #