class Kemal::Shield::ContentSecurityPolicy

Overview

Kemal::Shield::ContentSecurityPolicy sets the Content-Security-Policy (CSP) header. This header can help mitigate different kinds of client side attacks, e.g. cross-site-scripting (XSS).

The following directives are set unless custom directives are supplied:

default-src 'self';
base-uri 'self';
block-all-mixed-content;
font-src 'self' https: data:;
frame-ancestors 'self';
img-src 'self' data:;
object-src 'none';
script-src 'self';
script-src-attr 'none';
style-src 'self' https: 'unsafe-inline';
upgrade-insecure-requests;

This handler has following default configurations set:

Kemal::Shield.config.csp_on = true
Kemal::Shield.config.csp_defaults = true
Kemal::Shield.config.csp_directives = Shield::ContentSecurityPolicy::DEFAULT_DIRECTIVES
Kemal::Shield.config.csp_report_only = false

Defined in:

kemal-shield/handlers/content_security_policy.cr

Constant Summary

DEFAULT_DIRECTIVES = {"default-src" => ["'self'"], "base-uri" => ["'self'"], "block-all-mixed-content" => [] of String, "font-src" => ["'self'", "https:", "data:"], "frame-ancestors" => ["'self'"], "img-src" => ["'self'", "data:"], "object-src" => ["'none'"], "script-src" => ["'self'"], "script-src-attr" => ["'none'"], "style-src" => ["'self'", "https:", "'unsafe-inline'"], "upgrade-insecure-requests" => [] of String}

Default Content-Security-Policy directives

Constructors

Instance Method Summary

Constructor Detail

def self.new(use_defaults : Bool = true, directives : Hash(String, Array(String)) = DEFAULT_DIRECTIVES, report_only : Bool = false) #

[View source]

Instance Method Detail

def call(context) #

[View source]