Middleware for adding various 'X-' response headers.


(wrap-content-type-options handler content-type-options)
Middleware that adds the X-Content-Type-Options header to the response. This
currently only accepts one option:

:nosniff - prevent resources with invalid media types being loaded as
           stylesheets or scripts

This prevents attacks based around media type confusion. See:


(wrap-frame-options handler frame-options)
Middleware that adds the X-Frame-Options header to the response. This governs
whether your site can be rendered in a <frame>, <iframe> or <object>, and is
typically used to prevent clickjacking attacks.

The following frame options are allowed:

:deny             - prevent any framing of the content
:sameorigin       - allow only the current site to frame the content
{:allow-from uri} - allow only the specified URI to frame the page

The :deny and :sameorigin options are keywords, while the :allow-from option
is a map consisting of one key/value pair.

Note that browser support for :allow-from is incomplete. See:


(wrap-xss-protection handler enable? & [options])
Middleware that adds the X-XSS-Protection header to the response. This header
enables a heuristic filter in browsers for detecting cross-site scripting
attacks. Usually on by default.

The enable? attribute determines whether the filter should be turned on.
Accepts one additional option:

:mode - currently accepts only :block

See: http://msdn.microsoft.com/en-us/library/dd565647(v=vs.85).aspx