Hanami is designed with a 'secure-by-default' philosophy, but developers often degrade this posture by disabling built-in protections for development convenience or due to a lack of understanding of the middleware stack. Common misconfigurations include disabling CSRF protection, using weak session secrets, and deploying overly permissive Content Security Policies (CSP). In a production environment, these oversights transform a robust framework into an open vector for XSS, CSRF, and session hijacking.

The Vulnerable Pattern

config.middleware.use Rack::Session::Cookie, secret: 'change_me_123'
config.security.content_security_policy = ”*“
Inside a controller action
class Create < Hanami::Action
accept_csrf_token = false
def handle(request, response)
# Logic without CSRF validation
end
end

The Secure Implementation

The secure configuration addresses three critical areas: 1. Session Hardening: It moves the secret to an environment variable and enforces 'secure' (HTTPS only), 'httponly' (prevents JS access), and 'samesite: :strict' (prevents CSRF via cookie context). 2. CSP Strictness: It replaces the 'allow-all' wildcard with a restrictive policy that prevents unauthorized script execution and clickjacking (frame-ancestors :none). 3. CSRF Integrity: It removes the 'accept_csrf_token = false' override, ensuring that Hanami's built-in token validation middleware is active for all state-changing requests.

config.sessions = :cookie, {
  secret: ENV.fetch('SESSION_SECRET'),
  secure: true,
  httponly: true,
  samesite: :strict
}
config.security.content_security_policy = Hanami::Config::Security::ContentSecurityPolicy.new do |csp|
csp.default_src :self
csp.script_src :self
csp.frame_ancestors :none
csp.base_uri :self
csp.form_action :self
end
Actions should inherit global CSRF protection
class Create < Hanami::Action
def handle(request, response)
# CSRF is validated by default
end
end