Sleep Safe v1.0.0

Written in: Fantom pod: v1.0.0 Licence: ISC Licence


Guards your BedSheet web app against CSFR, XSS, and other attacks, letting you Sleep Safe at night!

For the most part, Sleep Safe is completely unobtrusive. Simply reference afSleepSafe as a dependecny in your project's and let the sensible defaults monitor your HTTP requests and set protective HTTP response headers.

Note that other Alien-Factory libraries integrate seemlessly with Sleep Safe:

  • Duvet - When injecting scripts and stylesheets, Duvet will automatically adjust the Content-Security-Policy to include a hash of the added content.
  • FormBean - When rendering forms, FormBean will automatically render any CSRF token as hidden inputs.


Install Sleep Safe with the Fantom Pod Manager ( FPM ):

C:\> fpm install afSleepSafe

Or install Sleep Safe with fanr:

C:\> fanr install -r afSleepSafe

To use in a Fantom project, add a dependency to

depends = ["sys 1.0", ..., "afSleepSafe 1.0"]


Full API & fandocs are available on the Eggbox - the Fantom Pod Repository.

Sleep Safe Guards

Sleep Safe is BedSheet middleware that inspects HTTP requests as they come in and returns a 403 Forbidden should an attack be suspected.

Request inspection is done by Guard classes, and include:

Class                   Guards Against                            Notes
----------------------  ----------------------------------------  ------------
`CspGuard`              Cross Site Scripting (XSS)                Sets a 'Content-Security-Policy' HTTP response header that tells browsers to restrict where content can be loaded from.
`ContentTypeGuard`      Content Sniffing                          Sets a 'X-Content-Type-Options' HTTP response header that tells browsers to trust the 'Content-Type' header
`CsrfTokenGuard`        Cross Site Forgery Requests (CSRF)        Enforces an customisable Encrypted Token Pattern strategy
`FrameOptionsGuard`     Clickjacking                              Sets an 'X-Frame-Options' HTTP header that tells browsers not to embed the page in a frame
`ReferrerPolicyGuard`   Private / Internal URL leaking            Sets a 'Referrer-Policy' HTTP response header that tells browsers how and when to transmit the HTTP Referer (sic) header
`SameOriginGuard`       Cross Site Forgery Requests (CSRF)        Checks the 'Referer' or 'Origin' HTTP header matches the 'Host'
`SessionHijackGuard`    Session Hijacking                         Caches browser user-agent parameters and checks them on each request, dropping the session if they change.
`StrictTransportGuard`  Protocol Downgrades and Cookie Hijacking  Sets a 'Strict-Transport-Security' HTTP header that tells browsers to use HTTPS
`XssProtectionGuard`    Cross Site Scripting (XSS)                Sets an 'X-XSS-Protection' HTTP header that tells browsers enable XSS filtering

See the individual class documentation for more details.

Guards are invoked by SleepSafe BedSheet Middleware which is configured before afBedSheet.routes but after afBedSheet.assets. This is because some guards may be processor and / or IO intensive and static asset files usually need not be protected. If you prefere SleepSafe be run on every request, then overwrite the Middleware contribution.

IoC Configuration

When a Guard rejects a HTTP request, it processes a standard BedSheet HttpStatus object with a 403 - Forbidden status code. This is then handled by BedSheet in the usual manner, for you to override - see HTTP Status Processing.

Use IoC Config to change the status code:

@Contribute { serviceType=ApplicationDefaults# }
Void contributeAppDefaults(Configuration config) {
    config["afSleepSafe.rejectedStatusCode"] = 400

or as SleepSafeMiddleware is a service, you can override it and the rejectSuspectedAttack() method.


Use to probe your site's HTTP response headers and give information on how best to configure them.

Sleep Safe was inspired by Ruby's Rack Protection library.