Middleware & Security

Middleware & Security

Runique includes configurable security middlewares automatically applied in the optimal order through the slot system.

ModuleDescription
CSRF ProtectionToken, Double Submit Cookie, AJAX
Content Security PolicyNonce, profiles, headers
SessionsStore, durations, access in handlers
Hosts & CacheAllowed Hosts, Cache-Control, security headers
Builder & ConfigurationClassic Builder, Intelligent Builder, environment variables
Rate LimitingPer-IP, per-route rate limiting, configurable
Login RequiredRoute protection β€” redirects if not authenticated
CORSCross-Origin Resource Sharing β€” origins, credentials, preflight
Trusted ProxiesReal client IP, RFC 1918, CIDR, ClientIp
Permissions-PolicyBrowser API restrictions via HTTP header
Open RedirectAutomatic blocking of redirects to external origins

Execution Stack

Incoming request
    ↓
slot  0  Extensions          β†’ Inject Engine, Tera, Config (always active)
slot  2  TrustedProxies      β†’ Real client IP from X-Forwarded-For (always active)
slot  5  Compression         β†’ Response compression (always active)
slot  8  CORS                β†’ Cross-Origin Resource Sharing (if with_cors() configured)
slot 10  ErrorHandler        β†’ Capture and render errors (always active)
slot 20+ Custom              β†’ Your custom middlewares
slot 25  OpenRedirect        β†’ Block external redirects (always active)
slot 30  SecurityHeaders     β†’ X-Frame-Options, HSTS, Permissions-Policy… (always active)
slot 31  CSP                 β†’ Content Security Policy (always active)
slot 40  Cache               β†’ No-cache in development (always active)
slot 50  Session             β†’ Session management (always active)
slot 55  SessionUpgrade      β†’ Upgrade anonymous session β†’ authenticated (always active)
slot 57  Auth                β†’ Load CurrentUser from session (always active)
slot 60  CSRF                β†’ Cross-Site Request Forgery protection (always active)
slot 70  HostValidation      β†’ Allowed host validation (if with_allowed_hosts() configured)
    ↓
Handler (your code)

"Always active" slots apply to every request with no extra configuration. Others only insert into the stack when their builder method is called.