rama::cli::service

Module http_security

Available on crate features http and net and haproxy and cli only.

Expand description

Shared defence-in-depth HTTP response-header layer used by every HTML-emitting service that ships with rama (fingerprint service, http test service, public IP page).

The defaults are intentionally strict so an XSS that slips past the escaping pipeline cannot, on its own, exfiltrate data or be reframed by a third party. Each call-site can widen the policy with ContentSecurityPolicy::with before passing it to defence_in_depth_layer.

Functions§

defence_in_depth_layer: Build the standard defence-in-depth response-header layer stack.
rama_html_csp: Convenience: build the strict-self CSP, widened only with the image hosts every rama-shipped HTML page needs (the inline favicon SVG via data: and the GitHub-hosted banner image). Frame ancestry is denied upstream by XFrameOptions::Deny and the policy’s own frame-ancestors 'none'.