Security
Security for your Iridium application is important when deploying a production application. HTMX and Alpine.JS can unintentionally allow for malicious actions if not properly handled / understood.
We recommend reading through this section prior to deploying your Iridium application and if you start writing custom components or your own plugins.
CSP Mode
Iridium ships with the standard Alpine.js build by default. This reduces the barrier to working with Iridium's attribute system, as you can directly inline complex statements, rather than being required to inject custom Alpine data components to do complicated work.
If your application requires a stricter Content Security Policy or you want to reduce attack surfaces with a single flag, you can enable CSPMode in your global config. This will:
- Swap Alpine.js for Alpine's CSP build, disabling inline expression evaluation
- Disable
allowEvalandallowScriptTagsin HTMX - Enable
selfRequestsOnlyin HTMX, restricting requests to your own origin
WARNING
Enabling CSP Mode means certain Alpine expressions, and HTMX expressions will no longer work in both the attributes system, and any custom templ components you've created.
See here for what's enable/disabled in HTMX and Alpine.
Any Alpine behaviour must instead be registered via Alpine.data() in a nonce-tagged <script> block. And certain HTMX calls like hx-on need custom workarounds.
If you're heavily relying on the attribute system for scripting and/or have heavy inline scripting in your custom components, CSP Mode may not be suitable for your use case.
CSP is not a silver bullet
CSP Mode meaningfully reduces your XSS attack surface, but it is not a complete defence on its own. You should still sanitize user input, avoid @templ.Raw() with untrusted content, and follow general web security best practices alongside it.
Secure Middleware
Iridium ships with fairly tight security middleware, that could be too tight for your applications requirements.
We don't provide hooks to override much inside our default middleware, and instead encourage you to read through and fork our implementations and then manually register your variants with your panels if you require a change.
CSP
CSRF
CORS
Secure Headers
Max Payloads
Panic Recovery
Require User Account
Logging Users out
We recommend using Iridium's base context's LogoutUser method to properly clean up and log out users. That method invalidates the user's session and clears any session variables that could expose data to a malicious person (HTMX's history cache for example).
Recommended Readings
- HTMX's security section. Link
- Alpine.Js CSP docs. Link
- Web Security Basis with HTMX - Alexander Petros. Link
Reporting Security Vulnerabilities
Did you find a vulnerability? Please directly report this on GitHub to the project maintainers.
- We ask you don't share your finding(s) publicly until after we've pushed a fix.
- We do kindly ask you put in some leg work for how you uncovered and how you can replicate the issue. Entirely AI-generated submissions will be ignored.