hails-0.11.0.0: Multi-app web platform framework

Safe HaskellTrustworthy

Hails.HttpServer

Contents

Description

This module exports the core of the Hails HTTP server. Specifically it defines basic types, such as HTTP Request and Response, used by the Hails web server and untrusted Hails Applications.

At a high level, a Hails Application, is a function from Request to Response in the DC monad. Every application response is sanitized and sanity checked with the secureApplication Middleware. Moreover, every Request is sanitized with sanitizeReq before handed over to authenticators.

Hails uses Wai, and as such we provide a function for converting Hails Applications to Wai Applicatoins: execHailsApplication.

Synopsis

Documentation

Execute Hails application

execHailsApplication :: Middleware -> Application -> ApplicationSource

Execute an application, safely filtering unsafe request headers, overriding method posts, catching all exceptions, and sanitizing responses.

Middleware used by Hails

sanitizeReqMiddleware :: MiddlewareSource

Remove any unsafe headers, in this case only X-Hails-User.

browserLabelGuard :: MiddlewareSource

Hails Middleware that ensures the Response from the application is readable by the client's browser (as determined by the result label of the app computation and the label of the browser). If the response is not readable by the browser, the middleware sends a 403 (unauthorized) response instead.

guardSensitiveResp :: MiddlewareSource

Adds the header Content-Security-Policy to the response, if the label of the computation does not flow to the public label, dcPublic. The default-src directive is set to the secrecy component of the response label (if it is a disjunction of principals). Currently, self is always added to the whitelist. An example may be:

 Content-Security-Policy: default-src 'self' http://google.com:80 https://a.lvh.me:3000;

sanitizeResp :: MiddlewareSource

Remove anything from the response that could cause inadvertant declasification. Currently this only removes the Set-Cookie header.

catchAllExceptions :: MiddlewareSource

Catch all exceptions thrown by middleware and return 500.

Network types