This function adds resource isolation to a path in your API. The function can be called multiple times to set up resource isolation for multiple paths, potentially with different settings for each path. You can read in depth about resource isolation at the ResourceIsolation plugin documentation.
api_security_resource_isolation(
api,
path = "/*",
allowed_site = "same-site",
forbidden_navigation = c("object", "embed"),
allow_cors = TRUE
)This functions return the api object allowing for easy chaining
with the pipe
A plumber2 api object to add the plugin to
The path that the policy should apply to. routr path syntax applies, meaning that wilcards and path parameters are allowed.
The allowance level to permit. Either cross-site,
same-site, or same-origin.
A vector of destinations not allowed for
navigational requests. See the Sec-Fetch-Dest documentation
for a description of possible values. The special value "all" is also
permitted which is the equivalent of passing all values.
Should Sec-Fetch-Mode: cors requests be allowed
To add resource isolation to a path you can add @rip <allowed_site> to a
handler annotation. This will add resource isolation to all endpoints
described in the block. The annotation doesn't allow setting
forbidden_navigation or allow_cors and the default values will be used.
#* A handler for /user/<username>
#*
#* @param username:string The name of the user to provide information on
#*
#* @get /user/<username>
#*
#* @response 200:{name:string, age:integer, hobbies:[string]} Important
#* information about the user such as their name, age, and hobbies
#*
#* @rip same-origin
#*
function(username) {
find_user_in_db(username)
}
Other security features:
api_security_cors(),
api_security_headers()
# Set up resource isolation for everything inside a user path
api() |>
api_security_resource_isolation(
path = "/*"
)
Run the code above in your browser using DataLab