Security is a very important part to building an application, and Lucky comes with a few small tools to help you out.
If you look in your src/actions/browser_action.cr, you’ll see Lucky has added the Lucky::ProtectFromForgery module, which helps to protect you against Cross-Site Request Forgery (CSRF).
There’s a few other modules you can include in your actions to help secure your app against attacks. It’s up to you to decide which ones work best for your needs.
SetCSPGuard
This module sets the HTTP header Content-Security-Policy. It’s job is to prevent a wide range of attacks like Cross-Site Scripting.
Include this module in the actions you want to add this to.
A required method csp_guard_value must be defined
class BrowserAction < Lucky::Action
include Lucky::SecureHeaders::SetCSPGuard
def csp_guard_value : String
String.build do |io|
io << "default-src 'self' 'unsafe-eval' 'unsafe-inline' blob: https://cdn.somecss.com"
end
end
end
SetFrameGuard
This module sets the HTTP header X-Frame-Options. It’s job is responsible for deciding which site can call your site from within a frame. For more information, read up on Clickjacking.
abstract class BrowserAction < Lucky::Action
include Lucky::SecureHeaders::SetFrameGuard
def frame_guard_value : String
"deny"
end
end
The
frame_guard_valuemethod is required, and must be"sameorigin","deny", or a valid URL for your website. The explicit return type (Stringin this example) is required when you override abstract method with explicit return type.
SetSniffGuard
This module sets the HTTP header X-Content-Type-Options. It’s job is responsible for disabling mime type sniffing. For more information, read up on MIME type security.
abstract class BrowserAction < Lucky::Action
include Lucky::SecureHeaders::SetSniffGuard
end
SetXSSGuard
This module sets the HTTP header X-XSS-Protection. It’s job is responsible for telling the browser to not render a page if it detects cross-site scripting. Lucky disables this header for Internet Explorer version < 9 for you as per recommendations. Read more on Microsoft.
abstract class BrowserAction < Lucky::Action
include Lucky::SecureHeaders::SetXSSGuard
end
‘Strict-Transport-Security’ header
is used for telling a browser that this site should only be accessed using HTTPS.
Lucky comes with a Lucky::ForceSSLHandler handler already included, but disabled by default. To enable this, go to config/server.cr, and set the settings.enabled option to true.
If you would like to enable HSTS, you can add the options to the settings.strict_transport_security option.
# config/server.cr
Lucky::ForceSSLHandler.configure do |settings|
settings.enabled = LuckyEnv.production?
settings.strict_transport_security = {max_age: 1.year, include_subdomains: true}
end
The ‘Permissions-Policy’ header is a part of Google’s Federated Learning of Cohorts (FLoC) which is used to track browsing history instead of using 3rd-party cookies.
Lucky disables this feature by setting the header value to interest-cohort=() with the Lucky::SecureHeaders::DisableFLoC
module. If you want to enable this tracking for your application, you must remove the module include from your BrowserAction,
then add in the specific cohort you need.