Sleep SafeUser Guide
Overview
Guards your BedSheet web app against CSRF, XSS, and other attacks, letting you Sleep Safe at night!
For the most part, Sleep Safe is completely unobtrusive. Simply reference afSleepSafe
as a dependecny in your project's build.fan
and let the sensible defaults monitor your HTTP requests and set protective HTTP response headers.
Note that other Alien-Factory libraries integrate seemlessly with Sleep Safe:
- Duvet - When injecting scripts and stylesheets, Duvet will automatically adjust the Content-Security-Policy to include a hash of the added content.
- FormBean - When rendering forms, FormBean will automatically render any CSRF token as hidden inputs.
Sleep Safe Guards
Sleep Safe is BedSheet middleware that inspects HTTP requests as they come in and returns a 403 Forbidden
should an attack be suspected.
Request inspection is done by Guard classes, and include:
Class | Guards Against | Notes |
---|---|---|
Cross Site Scripting (XSS) | Sets a | |
Content Sniffing | Sets a | |
Cross Site Forgery Requests (CSRF) | Enforces an customisable Encrypted Token Pattern strategy | |
Clickjacking | Sets an | |
Private / Internal URL leaking | Sets a | |
Cross Site Forgery Requests (CSRF) | (Disabled by default) Checks the | |
Session Hijacking | Caches browser user-agent parameters and checks them on each request, dropping the session if they change. | |
Protocol Downgrades and Cookie Hijacking | (Disabled by default) Sets a | |
Cross Site Scripting (XSS) | Sets an |
See the individual class documentation for more details.
Guards are invoked by SleepSafe BedSheet Middleware which is configured before afBedSheet.routes
but after afBedSheet.assets
. This is because some guards may be processor and / or IO intensive and static asset files usually need not be protected. If you prefere SleepSafe be run on every request, then overwrite the Middleware contribution.
IoC Configuration
When a Guard rejects a HTTP request, it processes a standard BedSheet HttpStatus
object with a 403 - Forbidden
status code. This is then handled by BedSheet in the usual manner, for you to override - see HTTP Status Processing.
Use IoC Config to change the status code:
@Contribute { serviceType=ApplicationDefaults# } Void contributeAppDefaults(Configuration config) { config["afSleepSafe.rejectedStatusCode"] = 400 }
or as SleepSafeMiddleware is a service, you can override it and the rejectSuspectedAttack()
method.
References
Use https://observatory.mozilla.org/ to probe your site's HTTP response headers and give information on how best to configure them.
Sleep Safe was inspired by Ruby's Rack Protection library.