Hanami provides ways to secure from most common vulnerabilities. Security options can be configured in .

X-Frame-Options is a HTTP header supported by modern browsers. It determines if a web page can or cannot be included via <frame> and <iframe> tags by untrusted domains.

  1. # Allows iframes on example.com
  2. security.x_frame_options 'ALLOW-FROM https://example.com/'

X-Content-Type-Options prevents browsers from interpreting files as something else than declared by the content type in the HTTP headers.

X-XSS-Protection is a HTTP header to determine the behavior of the browser in case an XSS attack is detected.

  1. # Filter enabled. Rather than sanitize the page, when a XSS attack is detected,
  2. # the browser will prevent rendering of the page (default)
  1. # the browser will sanitize the page
  2. security.x_xss_protection '1'

Web applications can send this header to mitigate Cross Site Scripting (XSS) attacks.

The default value allows images, scripts, AJAX, fonts and CSS from the same origin, and does not allow any other resources to load (eg object, frame, media, etc).

Default value is:

  1. security.content_security_policy %{
  2.   form-action 'self';
  3.   frame-ancestors 'self';
  4.   base-uri 'self';
  5.   default-src 'none';
  7.   img-src 'self' https: data:;
  8.   style-src 'self' 'unsafe-inline' https:;
  9.   font-src 'self';
  10.   object-src 'none';
  11.   plugin-types application/pdf;
  12.   child-src 'self';
  13.   frame-src 'self';
  14.   media-src 'self'