

Clojure Ring Defaults - lkrubner
https://github.com/ring-clojure/ring-defaults

======
lkrubner
Working with Clojure, I used to be jealous that the eco-system around Ruby had
gems as good as this:

[https://github.com/twitter/secureheaders](https://github.com/twitter/secureheaders)

Just reading the README is a bit of an education about Content Security Policy
(CSP).

But over the last 2 years I've been impressed by how much the eco-system
around Clojure has been catching up, and the new Ring Defaults is an example
of that. These automatic security features are the kinds of things that drive
people toward monolithic frameworks (so they can get these benefits without
having to think about it) but I'm increasingly able to get these things
(almost) automatically in the world of Clojure, while still keeping to the
Clojure convention of using small, composable libraries, rather than
monolithic apps (and for the micro-services I build, monolithic apps are not
an option).

:anti-forgery - Set to true to add CSRF protection via the ring-anti-forgery
library.

:content-type-options - Prevents attacks based around media-type confusion.
See: wrap-content-type-options.

:frame-options - Prevents your site from being placed in frames or iframes.
See: wrap-frame-options.

:hsts - If true, enable HTTP Strict Transport Security. See: wrap-hsts.

:ssl-redirect - If true, redirect all HTTP requests to the equivalent HTTPS
URL. A map with an :ssl-port option may be set instead, if the HTTPS server is
on a non-standard port. See: wrap-ssl-redirect.

:xss-protection - Enable the X-XSS-Protection header that tells supporting
browsers to use heuristics to detect XSS attacks. See: wrap-xss-protection.

