Ring-Defaults

Knowing what middleware to add to a Ring application, and in what order, can be difficult and prone to error.

This library attempts to automate the process, by providing sensible and secure default configurations of Ring middleware for both websites and HTTP APIs.

Note: Ring-Defaults is currently in development and not yet released.

Installation

Add the following dependency to your project.clj:

[ring/ring-defaults "0.1.0-SNAPSHOT"]

Basic Usage

The wrap-defaults middleware sets up standard Ring middleware based on a supplied configuration:

(require '[ring.middleware.defaults :refer :all])

(def site
  (wrap-defaults handler site-defaults)

There are four configurations included with the middleware

• api-defaults
• site-defaults
• secure-api-defaults
• secure-site-defaults

The "api" defaults will add support for urlencoded parameters, but not much else.

The "site" defaults add support for parameters, cookies, sessions, static resources, file uploads, and a bunch of browser-specific security headers.

The "secure" defaults force SSL. Unencrypted HTTP URLs are redirected to the equivlant HTTPS URL, and various headers and flags are sent to prevent the browser sending sensitive information over insecure channels.

Customizing

The default configurations are just maps of options, and can be customized to suit your needs.

The following configuration keys are supported:

• :cookies - Set to true to parse cookies from the request.

• :params - A map of options that describes how to parse parameters from the request.

  • :keywordize - Set to true to turn the parameter keys into keywords.

  • :multipart - Set to true to parse urlencoded parameters in the query string and the request body, or supply a map of options to pass to the standard Ring multipart-params middleware.

  • :nested - Set to true to allow nested parameters via the standard Ring nested-params middleware

  • :urlencoded - Set to true to parse urlencoded parameters in the query string and the request body.

• :proxy - Set to true if the application is running behind a reverse proxy or load balancer.

• :responses - A map of options to augment the responses from your application.

  • :absolute-redirects Any redirects to relative URLs will be turned into redirects to absolute URLs, to better conform to the HTTP spec.

  • :content-type Adds the standard Ring content-type middleware.

  • :not-modified-responses Adds the standard Ring not-modified middleware.

• :security - Options for security related behaviors and headers.

  • :anti-forgery - Set to true to add CSRF protection via the ring-anti-forgery library.

  • :content-type-options - Prevents attacks based around media-type confusion. See: wrap-content-type-options.

  • :frame-options - Prevents your site from being placed in frames or iframes. See: wrap-frame-options.

  • :hsts - If true, enable HTTP Strict Transport Security. See: wrap-hsts.

  • :ssl-redirect - If true, redirect all HTTP requests to the equivalent HTTPS URL. A map with an :ssl-port option may be set instead, if the HTTPS server is on a non-standard port. See: wrap-ssl-redirect.

  • :xss-protection - Enable the X-XSS-Protection header that tells supporting browsers to use heuristics to detect XSS attacks. See: wrap-xss-protection.

• :session - A map of options for configuring session handling via the Ring session middleware.

  • :flash - If set to true, the Ring flash middleware is added.

  • :store - The Ring session store to use for storing sessions.

• :static A map of options to configure how to find static content.

  • :files - A string containing a directory on disk to serve files from. Usually the :resources option below is more useful.

  • :resources - A string containing a classpath prefix. This will serve any resources in locations starting with the supplied prefix.

License

Copyright © 2014 James Reeves

Distributed under the MIT License, the same as Ring.