Security
Guide: Security.
CSRF (verve.csrf)
| Export | Notes |
|---|---|
COOKIE_NAME | "__verve_csrf" (HttpOnly) |
FIELD_NAME | "__csrf" (hidden form field) |
MAX_AGE_SEC | 86400 (24h) |
setKey([32]u8) / initFromEnvOrRandom(env, io) | HMAC key; VERVE_CSRF_KEY = 64 hex chars |
generate(buf, now_secs) []const u8 | base64url(ts ‖ HMAC-SHA256(key, ts)) |
validate(token, cookie_value, now_secs) bool | constant-time MAC check + expiry |
Render-side: ctx.csrfField() and ctx.actionForm(...) stamp the field; the api handler enforces it on native posts and checks Origin-vs-Host on JSON posts.
Sanitization
| Export | Notes |
|---|---|
sanitizeUrl(url) ?[]const u8 | http/https/mailto/relative pass; javascript:/data: → null |
escapeHtml(writer, text) | the renderer's escape (automatic for .text) |
escapeAttr(writer, text) | attribute-context escape |
CSP
| Export | Notes |
|---|---|
ctx.csp_nonce | per-request nonce, auto-stamped by ctx.script/scriptInline |
setRendererNonce(nonce) | for custom render pipelines |
The server emits the matching Content-Security-Policy header.