Safe Haskell | Trustworthy |
---|---|
Language | Haskell98 |
This module exports the core of the Hails HTTP server. Specifically it
defines basic types, such as HTTP Request
and Response
, used by
the Hails web server and untrusted Hails Application
s.
At a high level, a Hails Application
, is a function from Request
to Response
in the DC
monad. Every application response is
sanitized and sanity checked with the secureApplication
Middleware
. Moreover, every Request
is sanitized with sanitizeReq
before handed over to authenticators.
Hails uses Wai, and as such we provide a function for converting
Hails Application
s to Wai Applicatoin
s: execHailsApplication
.
Documentation
module Hails.HttpServer.Types
Execute Hails application
execHailsApplication :: Middleware -> Application -> Application Source
Execute an application, safely filtering unsafe request headers, overriding method posts, catching all exceptions, and sanitizing responses.
Middleware used by Hails
sanitizeReqMiddleware :: Middleware Source
Remove any unsafe headers, in this case only X-Hails-User
.
browserLabelGuard :: Middleware Source
Hails Middleware
that ensures the Response
from the
application is readable by the client's browser (as determined by the
result label of the app computation and the label of the browser). If
the response is not readable by the browser, the middleware sends a
403 (unauthorized) response instead.
guardSensitiveResp :: Middleware Source
Adds the header Content-Security-Policy
to the response, if the
label of the computation does not flow to the public label,
dcPublic
. The default-src
directive is set to the secrecy
component of the response label (if it is a disjunction
of principals). Currently,
is always added to the
whitelist. An example may be:self
Content-Security-Policy: default-src 'self' http://google.com:80 https://a.lvh.me:3000;
sanitizeResp :: Middleware Source
Remove anything from the response that could cause inadvertant
declasification. Currently this only removes the Set-Cookie
header.
catchAllExceptions :: Middleware Source
Catch all exceptions thrown by middleware and return 500.
Network types
module Network.HTTP.Types