Sleep SafeUser Guide

Overview

Guards your BedSheet web app against CSRF, XSS, and other attacks, letting you Sleep Safe at night!

For the most part, Sleep Safe is completely unobtrusive. Simply reference afSleepSafe as a dependecny in your project's build.fan and let the sensible defaults monitor your HTTP requests and set protective HTTP response headers.

Note that other Alien-Factory libraries integrate seemlessly with Sleep Safe:

  • Duvet - When injecting scripts and stylesheets, Duvet will automatically adjust the Content-Security-Policy to include a hash of the added content.
  • FormBean - When rendering forms, FormBean will automatically render any CSRF token as hidden inputs.

Sleep Safe Guards

Sleep Safe is BedSheet middleware that inspects HTTP requests as they come in and returns a 403 Forbidden should an attack be suspected.

Request inspection is done by Guard classes, and include:

Class

Guards Against

Notes

Cross Site Scripting (XSS)

Sets a Content-Security-Policy HTTP response header that tells browsers to restrict where content can be loaded from.

Content Sniffing

Sets a X-Content-Type-Options HTTP response header that tells browsers to trust the Content-Type header

Cross Site Forgery Requests (CSRF)

Enforces an customisable Encrypted Token Pattern strategy

Clickjacking

Sets an X-Frame-Options HTTP header that tells browsers not to embed the page in a frame

Private / Internal URL leaking

Sets a Referrer-Policy HTTP response header that tells browsers how and when to transmit the HTTP Referer (sic) header

Cross Site Forgery Requests (CSRF)

(Disabled by default) Checks the Referer or Origin HTTP header matches the Host

Session Hijacking

Caches browser user-agent parameters and checks them on each request, dropping the session if they change.

Protocol Downgrades and Cookie Hijacking

(Disabled by default) Sets a Strict-Transport-Security HTTP header that tells browsers to use HTTPS

Cross Site Scripting (XSS)

Sets an X-XSS-Protection HTTP header that tells browsers enable XSS filtering

See the individual class documentation for more details.

Guards are invoked by SleepSafe BedSheet Middleware which is configured before afBedSheet.routes but after afBedSheet.assets. This is because some guards may be processor and / or IO intensive and static asset files usually need not be protected. If you prefere SleepSafe be run on every request, then overwrite the Middleware contribution.

IoC Configuration

When a Guard rejects a HTTP request, it processes a standard BedSheet HttpStatus object with a 403 - Forbidden status code. This is then handled by BedSheet in the usual manner, for you to override - see HTTP Status Processing.

Use IoC Config to change the status code:

@Contribute { serviceType=ApplicationDefaults# }
Void contributeAppDefaults(Configuration config) {
    config["afSleepSafe.rejectedStatusCode"] = 400
}

or as SleepSafeMiddleware is a service, you can override it and the rejectSuspectedAttack() method.

References

Use https://observatory.mozilla.org/ to probe your site's HTTP response headers and give information on how best to configure them.

Sleep Safe was inspired by Ruby's Rack Protection library.