Sleep SafeUser Guide

Overview

Guards your BedSheet web app against CSRF, XSS, and other attacks, letting you Sleep Safe at night!

For the most part, Sleep Safe is completely unobtrusive. Simply reference afSleepSafe as a dependecny in your project's build.fan and let the sensible defaults monitor your HTTP requests and set protective HTTP response headers.

Note that other Alien-Factory libraries integrate seemlessly with Sleep Safe:

Duvet - When injecting scripts and stylesheets, Duvet will automatically adjust the Content-Security-Policy to include a hash of the added content.
FormBean - When rendering forms, FormBean will automatically render any CSRF token as hidden inputs.

Sleep Safe Guards

Sleep Safe is BedSheet middleware that inspects HTTP requests as they come in and returns a 403 Forbidden should an attack be suspected.

Request inspection is done by Guard classes, and include:

Class	Guards Against	Notes
CspGuard	Cross Site Scripting (XSS)	Sets a `Content-Security-Policy` HTTP response header that tells browsers to restrict where content can be loaded from.
ContentTypeGuard	Content Sniffing	Sets a `X-Content-Type-Options` HTTP response header that tells browsers to trust the `Content-Type` header
CsrfTokenGuard	Cross Site Forgery Requests (CSRF)	Enforces an customisable Encrypted Token Pattern strategy
FrameOptionsGuard	Clickjacking	Sets an `X-Frame-Options` HTTP header that tells browsers not to embed the page in a frame
ReferrerPolicyGuard	Private / Internal URL leaking	Sets a `Referrer-Policy` HTTP response header that tells browsers how and when to transmit the HTTP Referer (sic) header
SameOriginGuard	Cross Site Forgery Requests (CSRF)	(Disabled by default) Checks the `Referer` or `Origin` HTTP header matches the `Host`
SessionHijackGuard	Session Hijacking	Caches browser user-agent parameters and checks them on each request, dropping the session if they change.
StrictTransportGuard	Protocol Downgrades and Cookie Hijacking	(Disabled by default) Sets a `Strict-Transport-Security` HTTP header that tells browsers to use HTTPS
XssProtectionGuard	Cross Site Scripting (XSS)	Sets an `X-XSS-Protection` HTTP header that tells browsers enable XSS filtering

See the individual class documentation for more details.

Guards are invoked by SleepSafe BedSheet Middleware which is configured before afBedSheet.routes but after afBedSheet.assets. This is because some guards may be processor and / or IO intensive and static asset files usually need not be protected. If you prefere SleepSafe be run on every request, then overwrite the Middleware contribution.

IoC Configuration

When a Guard rejects a HTTP request, it processes a standard BedSheet HttpStatus object with a 403 - Forbidden status code. This is then handled by BedSheet in the usual manner, for you to override - see HTTP Status Processing.

Use IoC Config to change the status code:

@Contribute { serviceType=ApplicationDefaults# }
Void contributeAppDefaults(Configuration config) {
    config["afSleepSafe.rejectedStatusCode"] = 400
}

or as SleepSafeMiddleware is a service, you can override it and the rejectSuspectedAttack() method.

References

Use https://observatory.mozilla.org/ to probe your site's HTTP response headers and give information on how best to configure them.

Sleep Safe was inspired by Ruby's Rack Protection library.