class Kemal::Shield::ContentSecurityPolicy
- Kemal::Shield::ContentSecurityPolicy
- Kemal::Shield::Handler
- Kemal::Handler
- Reference
- Object
Overview
Kemal::Shield::ContentSecurityPolicy sets the Content-Security-Policy (CSP) header.
This header can help mitigate different kinds of client side attacks, e.g. cross-site-scripting (XSS).
The following directives are set unless custom directives are supplied:
default-src 'self';
base-uri 'self';
block-all-mixed-content;
font-src 'self' https: data:;
frame-ancestors 'self';
img-src 'self' data:;
object-src 'none';
script-src 'self';
script-src-attr 'none';
style-src 'self' https: 'unsafe-inline';
upgrade-insecure-requests;This handler has following default configurations set:
Kemal::Shield.config.csp_on = true
Kemal::Shield.config.csp_defaults = true
Kemal::Shield.config.csp_directives = Shield::ContentSecurityPolicy::DEFAULT_DIRECTIVES
Kemal::Shield.config.csp_report_only = falseDefined in:
kemal-shield/handlers/content_security_policy.crConstant Summary
-
DEFAULT_DIRECTIVES =
{"default-src" => ["'self'"], "base-uri" => ["'self'"], "block-all-mixed-content" => [] of String, "font-src" => ["'self'", "https:", "data:"], "frame-ancestors" => ["'self'"], "img-src" => ["'self'", "data:"], "object-src" => ["'none'"], "script-src" => ["'self'"], "script-src-attr" => ["'none'"], "style-src" => ["'self'", "https:", "'unsafe-inline'"], "upgrade-insecure-requests" => [] of String} -
Default Content-Security-Policy directives
Constructors
Instance Method Summary
Constructor Detail
def self.new(use_defaults : Bool = true, directives : Hash(String, Array(String)) = DEFAULT_DIRECTIVES, report_only : Bool = false)
#