Title: | Security for 'Ambiorix' Applications |
---|---|
Description: | Security middlewares for "Ambiorix" applications. |
Authors: | John Coene [aut, cre], Opifex [fnd, cph] |
Maintainer: | John Coene <[email protected]> |
License: | GPL (>= 2) |
Version: | 0.0.1.9000 |
Built: | 2025-03-13 02:44:30 UTC |
Source: | https://github.com/ambiorix-web/agris |
Adds relevant Content-Security-Policy headers.
use_content_security_policy()
use_content_security_policy()
base-uri 'self';
block-all-mixed-content;
font-src 'self' https: data:;
form-action 'self';
frame-ancestors 'self';
img-src 'self' data:;
object-src 'none';
style-src 'self' https: 'unsafe-inline';
upgrade-insecure-requests
Sets the X-Content-Type-Options
to nosniff
(default).
use_content_type_options(value = "nosniff")
use_content_type_options(value = "nosniff")
value |
Value to set. |
Sets the Cross-Origin-Embedder-Policy
to require-corp
(default),
so the document can only load resources from the same origin,
or resources explicitly marked as loadable from another origin.
use_cross_origin_embedder_policy(policy = c("require-corp", "unsafe-none"))
use_cross_origin_embedder_policy(policy = c("require-corp", "unsafe-none"))
policy |
Policy to set. |
Sets the Cross-Origin-Opener-Policy
to
same-origin
(default).
use_cross_origin_opener_policy( policy = c("same-origin", "same-origin-allow-popups", "unsafe-nonce") )
use_cross_origin_opener_policy( policy = c("same-origin", "same-origin-allow-popups", "unsafe-nonce") )
policy |
Policy to set. |
Sets the Cross-Origin-Resource-Policy
to same-origin
(default).
use_cross_origin_resource_policy( policy = c("same-origin", "same-site", "cross-origin") )
use_cross_origin_resource_policy( policy = c("same-origin", "same-site", "cross-origin") )
policy |
Policy to set. |
Sets the X-DNS-Prefetch-Control
header to on
(default).
use_dns_prefetch_control(policy = c("on", "off"))
use_dns_prefetch_control(policy = c("on", "off"))
policy |
Policy to set. |
Sets to the X-Download-Options
header to noopen
,
this is IE specific.
use_download_options()
use_download_options()
Sets X-Frame-Options
header to DENY
(default).
use_frame_options(policy = c("DENY", "SAMEORIGIN"))
use_frame_options(policy = c("DENY", "SAMEORIGIN"))
policy |
Policy to set. |
Hides the X-Powered-By
header.
Someone may want to exploit vulnerabilities of R or ambiorix,
hiding this provides less information to those people.
use_hide_powered_by(value = NA)
use_hide_powered_by(value = NA)
value |
Value to set the header to. |
Sets the Origin-Agent-Cluster
to true
.
Mechanism to allow web applications to isolate their origins.
use_origin_agent_cluster(value = "?1")
use_origin_agent_cluster(value = "?1")
value |
Value to set. |
Sets the X-Permitted-Cross-Domain-Policies
header to none
.
Tells some clients (mostly Adobe products) your domain's policy
for loading cross-domain content.
use_permitted_cross_domain_policies( policy = c("none", "master-only", "by-content-type", "all") )
use_permitted_cross_domain_policies( policy = c("none", "master-only", "by-content-type", "all") )
policy |
Policy to set. |
Sets the Referrer-Policy
header to no-referrer
(default).
Controls how much referrer information (sent with the Referer header)
should be included with requests.
use_referrer_policy( policy = c("no-referrer", "no-referrer-when-downgrade", "origin", "origin-when-cross-origin", "same-origin", "strict-origin", "strict-origin-when-cross-origin", "unsafe-url") )
use_referrer_policy( policy = c("no-referrer", "no-referrer-when-downgrade", "origin", "origin-when-cross-origin", "same-origin", "strict-origin", "strict-origin-when-cross-origin", "unsafe-url") )
policy |
Policy to set. |
Sets the Strict-Transport-Security
header,
which nforms browsers that the site should only be
accessed using HTTPS, and that any future attempts
to access it using HTTP should automatically be
converted to HTTPS.
use_strict_transport_security( max_age = 15552000, include_subdomains = FALSE, preload = FALSE )
use_strict_transport_security( max_age = 15552000, include_subdomains = FALSE, preload = FALSE )
max_age |
The time, in seconds, that the browser should remember that a site is only to be accessed using HTTPS. Defaults to 6 months. |
include_subdomains |
Whether to apply this rule applies to all of the site's subdomains as well. |
preload |
Not part of specs, see MDN |
Sets the X-XSS-Protection
header to 1; mode=block
to
enable XSS filtering and rather than sanitizing the page,
the browser will prevent rendering of the page if an attack is detected.
use_xss_protection(policy = "1; mode=block")
use_xss_protection(policy = "1; mode=block")
policy |
Policy to set. |