Safe Haskell | Trustworthy |
---|
This module exports the core of the Hails HTTP server. Specifically it
defines basic types, such as HTTP Request
and Response
, used by
the Hails web server and untrusted Hails Application
s.
At a high level, a Hails Application
, is a function from Request
to Response
in the DC
monad. Every application response is
sanitized and sanity checked with the secureApplication
Middleware
. Moreover, every Request
is sanitized with sanitizeReq
before handed over to authenticators.
Hails uses Wai, and as such we provide a function for converting
Hails Application
s to Wai Applicatoin
s: execHailsApplication
.
Documentation
module Hails.HttpServer.Types
Execute Hails application
execHailsApplication :: Middleware -> Application -> ApplicationSource
Execute an application, safely filtering unsafe request headers, overriding method posts, catching all exceptions, and sanitizing responses.
Middleware used by Hails
sanitizeReqMiddleware :: MiddlewareSource
Remove any unsafe headers, in this case only X-Hails-User
.
browserLabelGuard :: MiddlewareSource
Hails Middleware
that ensures the Response
from the
application is readable by the client's browser (as determined by the
result label of the app computation and the label of the browser). If
the response is not readable by the browser, the middleware sends a
403 (unauthorized) response instead.
guardSensitiveResp :: MiddlewareSource
Adds the header Content-Security-Policy
to the response, if the
label of the computation does not flow to the public label,
dcPublic
. The default-src
directive is set to the secrecy
component of the response label (if it is a disjunction
of principals). Currently,
is always added to the
whitelist. An example may be:
self
Content-Security-Policy: default-src 'self' http://google.com:80 https://a.lvh.me:3000;
sanitizeResp :: MiddlewareSource
Remove anything from the response that could cause inadvertant
declasification. Currently this only removes the Set-Cookie
header.
catchAllExceptions :: MiddlewareSource
Catch all exceptions thrown by middleware and return 500.
Network types
module Network.HTTP.Types