| Title: | Security for 'Ambiorix' Applications |
|---|---|
| Description: | Security middlewares for "Ambiorix" applications. |
| Authors: | John Coene [aut, cre], Opifex [fnd, cph] |
| Maintainer: | John Coene <[email protected]> |
| License: | GPL (>= 2) |
| Version: | 0.0.1.9000 |
| Built: | 2025-03-13 02:44:30 UTC |
| Source: | https://github.com/ambiorix-web/agris |
Adds relevant Content-Security-Policy headers.
use_content_security_policy()use_content_security_policy()
base-uri 'self';
block-all-mixed-content;
font-src 'self' https: data:;
form-action 'self';
frame-ancestors 'self';
img-src 'self' data:;
object-src 'none';
style-src 'self' https: 'unsafe-inline';
upgrade-insecure-requests
Sets the X-Content-Type-Options to nosniff (default).
use_content_type_options(value = "nosniff")use_content_type_options(value = "nosniff")
value |
Value to set. |
Sets the Cross-Origin-Embedder-Policy to require-corp (default),
so the document can only load resources from the same origin,
or resources explicitly marked as loadable from another origin.
use_cross_origin_embedder_policy(policy = c("require-corp", "unsafe-none"))use_cross_origin_embedder_policy(policy = c("require-corp", "unsafe-none"))
policy |
Policy to set. |
Sets the Cross-Origin-Opener-Policy to
same-origin (default).
use_cross_origin_opener_policy( policy = c("same-origin", "same-origin-allow-popups", "unsafe-nonce") )use_cross_origin_opener_policy( policy = c("same-origin", "same-origin-allow-popups", "unsafe-nonce") )
policy |
Policy to set. |
Sets the Cross-Origin-Resource-Policy to same-origin (default).
use_cross_origin_resource_policy( policy = c("same-origin", "same-site", "cross-origin") )use_cross_origin_resource_policy( policy = c("same-origin", "same-site", "cross-origin") )
policy |
Policy to set. |
Sets the X-DNS-Prefetch-Control header to on (default).
use_dns_prefetch_control(policy = c("on", "off"))use_dns_prefetch_control(policy = c("on", "off"))
policy |
Policy to set. |
Sets to the X-Download-Options header to noopen,
this is IE specific.
use_download_options()use_download_options()
Sets X-Frame-Options header to DENY (default).
use_frame_options(policy = c("DENY", "SAMEORIGIN"))use_frame_options(policy = c("DENY", "SAMEORIGIN"))
policy |
Policy to set. |
Hides the X-Powered-By header.
Someone may want to exploit vulnerabilities of R or ambiorix,
hiding this provides less information to those people.
use_hide_powered_by(value = NA)use_hide_powered_by(value = NA)
value |
Value to set the header to. |
Sets the Origin-Agent-Cluster to true.
Mechanism to allow web applications to isolate their origins.
use_origin_agent_cluster(value = "?1")use_origin_agent_cluster(value = "?1")
value |
Value to set. |
Sets the X-Permitted-Cross-Domain-Policies header to none.
Tells some clients (mostly Adobe products) your domain's policy
for loading cross-domain content.
use_permitted_cross_domain_policies( policy = c("none", "master-only", "by-content-type", "all") )use_permitted_cross_domain_policies( policy = c("none", "master-only", "by-content-type", "all") )
policy |
Policy to set. |
Sets the Referrer-Policy header to no-referrer (default).
Controls how much referrer information (sent with the Referer header)
should be included with requests.
use_referrer_policy( policy = c("no-referrer", "no-referrer-when-downgrade", "origin", "origin-when-cross-origin", "same-origin", "strict-origin", "strict-origin-when-cross-origin", "unsafe-url") )use_referrer_policy( policy = c("no-referrer", "no-referrer-when-downgrade", "origin", "origin-when-cross-origin", "same-origin", "strict-origin", "strict-origin-when-cross-origin", "unsafe-url") )
policy |
Policy to set. |
Sets the Strict-Transport-Security header,
which nforms browsers that the site should only be
accessed using HTTPS, and that any future attempts
to access it using HTTP should automatically be
converted to HTTPS.
use_strict_transport_security( max_age = 15552000, include_subdomains = FALSE, preload = FALSE )use_strict_transport_security( max_age = 15552000, include_subdomains = FALSE, preload = FALSE )
max_age |
The time, in seconds, that the browser should remember that a site is only to be accessed using HTTPS. Defaults to 6 months. |
include_subdomains |
Whether to apply this rule applies to all of the site's subdomains as well. |
preload |
Not part of specs, see MDN |
Sets the X-XSS-Protection header to 1; mode=block to
enable XSS filtering and rather than sanitizing the page,
the browser will prevent rendering of the page if an attack is detected.
use_xss_protection(policy = "1; mode=block")use_xss_protection(policy = "1; mode=block")
policy |
Policy to set. |