require 'hanami/helpers' require 'hanami/assets' module Web class Application < Hanami::Application configure do ## # BASIC # # Define the root path of this application. # All paths specified in this configuration are relative to path below. # root __dir__ # Relative load paths where this application will recursively load the # code. # # When you add new directories, remember to add them here. # load_paths << [ 'controllers', 'views' ] # Handle exceptions with HTTP statuses (true) or don't catch them (false). # Defaults to true. # See: http://www.rubydoc.info/gems/hanami-controller/#Exceptions_management # # handle_exceptions true ## # HTTP # # Routes definitions for this application # See: http://www.rubydoc.info/gems/hanami-router#Usage # routes 'config/routes' # URI scheme used by the routing system to generate absolute URLs # Defaults to "http" # # scheme 'https' # URI host used by the routing system to generate absolute URLs # Defaults to "localhost" # # host 'example.org' # URI port used by the routing system to generate absolute URLs # Argument: An object coercible to integer, defaults to 80 if the scheme # is http and 443 if it's https # # This should only be configured if app listens to non-standard ports # # port 443 # Enable cookies # Argument: boolean to toggle the feature # A Hash with options # # Options: # :domain - The domain (String - nil by default, not required) # :path - Restrict cookies to a relative URI # (String - nil by default) # :max_age - Cookies expiration expressed in seconds # (Integer - nil by default) # :secure - Restrict cookies to secure connections # (Boolean - Automatically true when using HTTPS) # See #scheme and #ssl? # :httponly - Prevent JavaScript access (Boolean - true by default) # # cookies true # or # cookies max_age: 300 # Enable sessions # Argument: Symbol the Rack session adapter # A Hash with options # # See: http://www.rubydoc.info/gems/rack/Rack/Session/Cookie # # sessions :cookie, secret: ENV['WEB_SESSIONS_SECRET'] # Configure Rack middleware for this application # # middleware.use Rack::Protection # Default format for the requests that don't specify an HTTP_ACCEPT header # Argument: A symbol representation of a mime type, defaults to :html # # default_request_format :html # Default format for responses that don't consider the request format # Argument: A symbol representation of a mime type, defaults to :html # # default_response_format :html ## # TEMPLATES # # The layout to be used by all views # layout :application # It will load Web::Views::ApplicationLayout # The relative path to templates # templates 'templates' ## # ASSETS # assets do # JavaScript compressor # # Supported engines: # # * :builtin # * :uglifier # * :yui # * :closure # # See: https://guides.hanamirb.org/assets/compressors # # In order to skip JavaScript compression comment the following line javascript_compressor :builtin # Stylesheet compressor # # Supported engines: # # * :builtin # * :yui # * :sass # # See: https://guides.hanamirb.org/assets/compressors # # In order to skip stylesheet compression comment the following line stylesheet_compressor :builtin # Specify sources for assets # sources << [ 'assets' ] end ## # SECURITY # # X-Frame-Options is a HTTP header supported by modern browsers. # It determines if a web page can or cannot be included via <frame> and # <iframe> tags by untrusted domains. # # Web applications can send this header to prevent Clickjacking attacks. # # Read more at: # # * https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options # * https://www.owasp.org/index.php/Clickjacking # security.x_frame_options 'DENY' # X-Content-Type-Options prevents browsers from interpreting files as # something else than declared by the content type in the HTTP headers. # # Read more at: # # * https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#X-Content-Type-Options # * https://msdn.microsoft.com/en-us/library/gg622941%28v=vs.85%29.aspx # * https://blogs.msdn.microsoft.com/ie/2008/09/02/ie8-security-part-vi-beta-2-update # security.x_content_type_options 'nosniff' # X-XSS-Protection is a HTTP header to determine the behavior of the # browser in case an XSS attack is detected. # # Read more at: # # * https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) # * https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#X-XSS-Protection # security.x_xss_protection '1; mode=block' # Content-Security-Policy (CSP) is a HTTP header supported by modern # browsers. It determines trusted sources of execution for dynamic # contents (JavaScript) or other web related assets: stylesheets, images, # fonts, plugins, etc. # # Web applications can send this header to mitigate Cross Site Scripting # (XSS) attacks. # # The default value allows images, scripts, AJAX, fonts and CSS from the # same origin, and does not allow any other resources to load (eg object, # frame, media, etc). # # Inline JavaScript is NOT allowed. To enable it, please use: # "script-src 'unsafe-inline'". # # Content Security Policy introduction: # # * http://www.html5rocks.com/en/tutorials/security/content-security-policy/ # * https://www.owasp.org/index.php/Content_Security_Policy # * https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29 # # Inline and eval JavaScript risks: # # * http://www.html5rocks.com/en/tutorials/security/content-security-policy/#inline-code-considered-harmful # * http://www.html5rocks.com/en/tutorials/security/content-security-policy/#eval-too # # Content Security Policy usage: # # * http://content-security-policy.com/ # * https://developer.mozilla.org/en-US/docs/Web/Security/CSP/Using_Content_Security_Policy # # Content Security Policy references: # # * https://developer.mozilla.org/en-US/docs/Web/Security/CSP/CSP_policy_directives # security.content_security_policy %{ form-action 'self'; frame-ancestors 'self'; base-uri 'self'; default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self' https: data:; style-src 'self' 'unsafe-inline' https:; font-src 'self'; object-src 'none'; plugin-types application/pdf; child-src 'self'; frame-src 'self'; media-src 'self' } ## # FRAMEWORKS # # Configure the code that will yield each time Web::Action is included # This is useful for sharing common functionality # # See: http://www.rubydoc.info/gems/hanami-controller#Configuration controller.prepare do # include MyAuthentication # included in all the actions # before :authenticate! # run an authentication before callback end # Configure the code that will yield each time Web::View is included # This is useful for sharing common functionality # # See: http://www.rubydoc.info/gems/hanami-view#Configuration view.prepare do include Hanami::Helpers include Web::Assets::Helpers end end ## # DEVELOPMENT # configure :development do # Don't handle exceptions, render the stack trace handle_exceptions false end ## # TEST # configure :test do # Don't handle exceptions, render the stack trace handle_exceptions false end ## # PRODUCTION # configure :production do # scheme 'https' # host 'example.org' # port 443 assets do # Don't compile static assets in production mode (eg. Sass, ES6) # # See: http://www.rubydoc.info/gems/hanami-assets#Configuration compile false # Use fingerprint file name for asset paths # # See: https://guides.hanamirb.org/assets/overview fingerprint true # Content Delivery Network (CDN) # # See: https://guides.hanamirb.org/assets/content-delivery-network # # scheme 'https' # host 'cdn.example.org' # port 443 # Subresource Integrity # # See: https://guides.hanamirb.org/assets/content-delivery-network/#subresource-integrity subresource_integrity :sha256 end end end end