package middleware
- Alphabetic
- Public
- All
Type Members
-
sealed
class
CORSPolicy extends AnyRef
A middleware that applies the CORS protocol to any
Http
value.A middleware that applies the CORS protocol to any
Http
value. Obtain a reference to aCORSPolicy
via the CORS object, which represents a default policy.Requests with an Origin header will receive the appropriate CORS headers. More headers are available for "pre-flight" requests, those whose method is
OPTIONS
and has anAccess-Control-Request-Method
header.Requests without the required headers, or requests that fail a CORS origin, method, or headers check are passed through to the underlying Http function, but do not receive any CORS headers in the response. The user agent will then block sharing the resource across origins according to the CORS protocol.
-
final
class
CSRF[F[_], G[_]] extends AnyRef
Middleware to avoid Cross-site request forgery attacks.
Middleware to avoid Cross-site request forgery attacks. More info on CSRF at: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
This middleware is modeled after the double submit cookie pattern: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#Double_Submit_Cookie
When a user authenticates,
embedNew
is used to send a random CSRF value as a cookie. (Alternatively, an authenticating service can be wrapped inwithNewToken
).By default, for requests that are unsafe (PUT, POST, DELETE, PATCH), services protected by the
validated
method in the middleware will check that the csrf token is present in both the headerheaderName
and the cookiecookieName
. Due to the Same-Origin policy, an attacker will be unable to reproduce this value in a custom header, resulting in a403 Forbidden
response.By default, requests with safe methods (such as GET, OPTIONS, HEAD) will have a new token embedded in them if there isn't one, or will receive a refreshed token based off of the previous token to mitigate the BREACH vulnerability. If a request contains an invalid token, regardless of whether it is a safe method, this middleware will fail it with
403 Forbidden
. In this situation, your user(s) should clear their cookies for your page, to receive a new token.The default can be overridden by modifying the
predicate
invalidate
. It will, by default, check if the method is safe. Thus, you can provide some whitelisting capability for certain kinds of requests.We'd like to emphasize that you please follow proper design principles in creating endpoints, as to not mutate in what should otherwise be idempotent methods (i.e no dropping your DB in a GET method, or altering user data). Please do not use the CSRF protection from this middleware as a safety net for bad design.
-
final
class
CORSConfig extends AnyRef
CORS middleware config options.
CORS middleware config options. You can give an instance of this class to the CORS middleware, to specify its behavior
- Annotations
- @deprecated
- Deprecated
(Since version 0.21.27) Deficient. See https://github.com/http4s/http4s/security/advisories/GHSA-52cf-226f-rhr6.
Value Members
-
object
AutoSlash
Removes a trailing slash from Request path
-
object
BodyCache
Middleware for caching the request body for multiple compilations
Middleware for caching the request body for multiple compilations
As the body of the request is the Stream of bytes, compiling it several times (e.g. with middlewares) is unsafe. This middleware forbids such behaviour, compiling the body only once. It does so only for the "inner" middlewares:
val route = AMiddleware(BodyCache(SomeOtherMiddleware(myRoute)))
In this example only
myRoute
&SomeOtherMiddleware
will receive cached request body, while theAMiddleware
will get the raw one.As the entire request body will be allocated in memory, there is a possibility of OOM error with a large body. Because of that, using the
EntityLimiter
middleware is strongly advised.- Note
This middleware has nothing to do with the HTTP caching mechanism and it does not cache bodies between multiple requests.
-
object
BracketRequestResponse
Middelwares which allow for bracketing on a Request/Response, including the completion of the Response body stream.
Middelwares which allow for bracketing on a Request/Response, including the completion of the Response body stream.
These are analogous to
cats.effect.Bracket
andfs2.Stream.bracket
. The reason that they exist is because due to the full termination of a Response being a function of the termination of thefs2.Stream
which backs the response body, you can't actually use eithercats.effect.Bracket
orfs2.Stream.bracket
directly. -
object
CORS
Implements the CORS protocol.
Implements the CORS protocol. The actual middleware is a CORSPolicy, which can be obtained via #policy.
- object CORSPolicy
- object CSRF
-
object
Caching
Caching contains middlewares to support caching functionality.
Caching contains middlewares to support caching functionality.
Helper functions to support Caching.cache can be found in Caching.Helpers
- object ChunkAggregator
-
object
ConcurrentRequests
Middlewares for tracking the quantity of concurrent requests.
Middlewares for tracking the quantity of concurrent requests.
These are generalized middlewares and can be used to implement metrics, logging, max concurrent requests, etc.
- Note
The concurrent request count is decremented on the completion of the Response body, or in the event of any error, and is guaranteed to only occur once.
-
object
Date
Date Middleware, adds the Date Header to All Responses generated by the service.
-
object
DefaultHead
Handles HEAD requests as a GET without a body.
Handles HEAD requests as a GET without a body.
If the service returns the fallthrough response, the request is resubmitted as a GET. The resulting response's body is killed, but all headers are preserved. This is a naive, but correct, implementation of HEAD. Routes requiring more optimization should implement their own HEAD handler.
- object EntityLimiter
- object ErrorAction
- object ErrorHandling
- object GZip
-
object
HSTS
Middleware to add HTTP Strict Transport Security (HSTS) support adding the Strict Transport Security headers
- object HeaderEcho
- object HttpMethodOverrider
-
object
HttpsRedirect
Middleware to redirect http traffic to https.
Middleware to redirect http traffic to https. Inspects
X-Forwarded-Proto
header and if it is set tohttp
, redirects toHost
with same URL with https schema; otherwise does nothing. This middleware is useful when a service is deployed behind a load balancer which does not support such redirect feature, e.g. Heroku. -
object
Jsonp
Middleware to support wrapping json responses in jsonp.
Middleware to support wrapping json responses in jsonp.
Jsonp wrapping occurs when the request contains a parameter with the given name and the request Content-Type is
application/json
.If the wrapping is done, the response Content-Type is changed into
application/javascript
and the appropriate jsonp callback is applied. -
object
Logger
Simple Middleware for Logging All Requests and Responses
- object MaxActiveRequests
-
object
Metrics
Server middleware to record metrics for the http4s server.
Server middleware to record metrics for the http4s server.
This middleware will record: - Number of active requests - Time duration to send the response headers - Time duration to send the whole response body - Time duration of errors and other abnormal terminations
This middleware can be extended to support any metrics ecosystem by implementing the org.http4s.metrics.MetricsOps type
- object PushSupport
-
object
RequestId
Propagate a
X-Request-Id
header to the response, generate a UUID when theX-Request-Id
header is unset.Propagate a
X-Request-Id
header to the response, generate a UUID when theX-Request-Id
header is unset. https://devcenter.heroku.com/articles/http-request-id -
object
RequestLogger
Simple Middleware for Logging Requests As They Are Processed
-
object
ResponseLogger
Simple middleware for logging responses as they are processed
- object ResponseTiming
-
object
StaticHeaders
Simple middleware for adding a static set of headers to responses returned by a kleisli.
-
object
Throttle
Transform a service to reject any calls the go over a given rate.
- object Timeout
-
object
TranslateUri
Removes the given prefix from the beginning of the path of the Request.
-
object
UrlFormLifter
Middleware for lifting application/x-www-form-urlencoded bodies into the request query params.
Middleware for lifting application/x-www-form-urlencoded bodies into the request query params.
The params are merged into the existing paras _after_ the existing query params. This means that if the query already contains the pair "foo" -> Some("bar"), parameters on the body must be acessed through
multiParams
. -
object
VirtualHost
Middleware for virtual host mapping
Middleware for virtual host mapping
The
VirtualHost
middleware allows multiple services to be mapped based on the org.http4s.headers.Host header of the org.http4s.Request.
Deprecated Value Members
-
object
CORSConfig
- Annotations
- @deprecated
- Deprecated
(Since version 0.21.27) Deficient. See https://github.com/http4s/http4s/security/advisories/GHSA-52cf-226f-rhr6.