plume
Sensible HTTP security headers for Gleam web servers, inspired by helmet. Built on gleam_http, so it works with wisp, mist, or any other compatible server.
Build a Config describing which headers to set on outgoing responses,
then apply it. default ships a reasonable starter policy; new
starts with no headers set.
As use middleware:
use <- plume.middleware(plume.default())
response.new(200)
Or directly on a response:
response.new(200)
|> plume.set_headers(plume.default())
Types
Which security headers Plume should set on a response. Each field is
optional — None leaves the corresponding header untouched.
pub type Config {
Config(
content_security_policy: option.Option(
content_security_policy.ContentSecurityPolicy,
),
content_type_options: option.Option(
content_type_options.ContentTypeOptions,
),
cross_origin_embedder_policy: option.Option(
cross_origin_embedder_policy.CrossOriginEmbedderPolicy,
),
cross_origin_opener_policy: option.Option(
cross_origin_opener_policy.CrossOriginOpenerPolicy,
),
cross_origin_resource_policy: option.Option(
cross_origin_resource_policy.CrossOriginResourcePolicy,
),
dns_prefetch_control: option.Option(
dns_prefetch_control.DnsPrefetchControl,
),
download_options: option.Option(
download_options.DownloadOptions,
),
frame_options: option.Option(frame_options.FrameOptions),
origin_agent_cluster: option.Option(
origin_agent_cluster.OriginAgentCluster,
),
permissions_policy: option.Option(
permissions_policy.PermissionsPolicy,
),
permitted_cross_domain_policies: option.Option(
permitted_cross_domain_policies.PermittedCrossDomainPolicies,
),
referrer_policy: option.Option(referrer_policy.ReferrerPolicy),
strict_transport_security: option.Option(
strict_transport_security.StrictTransportSecurity,
),
xss_protection: option.Option(xss_protection.XssProtection),
)
}Constructors
-
Config( content_security_policy: option.Option( content_security_policy.ContentSecurityPolicy, ), content_type_options: option.Option( content_type_options.ContentTypeOptions, ), cross_origin_embedder_policy: option.Option( cross_origin_embedder_policy.CrossOriginEmbedderPolicy, ), cross_origin_opener_policy: option.Option( cross_origin_opener_policy.CrossOriginOpenerPolicy, ), cross_origin_resource_policy: option.Option( cross_origin_resource_policy.CrossOriginResourcePolicy, ), dns_prefetch_control: option.Option( dns_prefetch_control.DnsPrefetchControl, ), download_options: option.Option( download_options.DownloadOptions, ), frame_options: option.Option(frame_options.FrameOptions), origin_agent_cluster: option.Option( origin_agent_cluster.OriginAgentCluster, ), permissions_policy: option.Option( permissions_policy.PermissionsPolicy, ), permitted_cross_domain_policies: option.Option( permitted_cross_domain_policies.PermittedCrossDomainPolicies, ), referrer_policy: option.Option(referrer_policy.ReferrerPolicy), strict_transport_security: option.Option( strict_transport_security.StrictTransportSecurity, ), xss_protection: option.Option(xss_protection.XssProtection), )
Values
pub fn default() -> ConfigA Config with sensible defaults: a starter CSP, nosniff,
SameOrigin frame options, HSTS for one year on the host and its
subdomains, and other widely-recommended values.
Examples
Override individual fields with record update syntax:
Config(..default(), frame_options: Some(frame_options.Deny))
pub fn middleware(
config: Config,
handler: fn() -> response.Response(body),
) -> response.Response(body)Run handler and set the headers from config on the resulting response.
pub fn new() -> ConfigA Config with no headers configured. Use this when you want to opt in
to each header individually rather than starting from default.
pub fn set_headers(
resp: response.Response(body),
config: Config,
) -> response.Response(body)Set the headers from config on an existing response.