Add :safe-header default to :anti-forgery

Provides a more convenient way of safely POSTing via XHR.

Author: weavejester

README.md

@@ -121,7 +121,7 @@ The following configuration keys are supported:
 
   - `:anti-forgery` -
     Set to true to add CSRF protection via the [ring-anti-forgery][5]
-    library.
+    library, or supply a map of options to be passed to the middleware.
 
   - `:content-type-options` -
     Prevents attacks based around media-type confusion. See:

src/ring/middleware/defaults.clj

@@ -47,7 +47,7 @@
    :session   {:flash true
                :cookie-attrs {:http-only true}
                :store default-session-store}
-   :security  {:anti-forgery   true
+   :security  {:anti-forgery   {:safe-header "X-Ring-Anti-Forgery"}
                :frame-options  :sameorigin
                :content-type-options :nosniff}
    :static    {:resources "public"}

test/ring/middleware/defaults_test.clj

@@ -241,4 +241,11 @@
                            (assoc-in [:security :xss-protection :mode] :block))))
           resp    (handler (request :get "/"))]
       (is (not (nil? (get-in resp [:headers "X-XSS-Protection"]))))
-      (is (= (get-in resp [:headers "X-XSS-Protection"]) "1; mode=block")))))
+      (is (= (get-in resp [:headers "X-XSS-Protection"]) "1; mode=block"))))
+
+  (testing "anti-forgery"
+    (let [handler (-> (constantly (response "foo"))
+                      (wrap-defaults site-defaults))]
+      (is (= 403 (:status (handler (request :post "/")))))
+      (is (= 200 (:status (handler (-> (request :post "/")
+                                       (header "X-Ring-Anti-Forgery" "1")))))))))