play.modules { enabled += "play.filters.csrf.CSRFModule" enabled += "play.filters.cors.CORSModule" enabled += "play.filters.headers.SecurityHeadersModule" enabled += "play.filters.gzip.GzipFilterModule" } play.filters { # CSRF config csrf { # Token configuration token { # The token name name = "csrfToken" # Whether tokens should be signed or not sign = true } # Cookie configuration cookie { # If non null, the CSRF token will be placed in a cookie with this name name = null # Whether the cookie should be set to secure secure = ${play.http.session.secure} # Whether the cookie should have the HTTP only flag set httpOnly = false } # How much of the body should be buffered when looking for the token in the request body body.bufferSize = ${play.http.parser.maxMemoryBuffer} # Header configuration header { # The name of the header to accept CSRF tokens from. name = "Csrf-Token" # Whether simple tokens in the header should allow CSRF checks to be bypassed. bypass = true } # Method lists method { # If non empty, then requests will be checked if the method is not in this list. whiteList = [] # The black list is only used if the white list is empty. # Only check methods in this list. blackList = ["POST"] } # Content type lists contentType { # If non empty, then requests will be checked if the content type is not in this list. whiteList = [] # The black list is only used if the white list is empty. # Only check content types in this list. blackList = ["application/x-www-form-urlencoded", "multipart/form-data", "text/plain"] } # The error handler. # Used by Play's built in DI support to locate and bind a request handler. Must be one of the following: # - A FQCN that implements play.filters.csrf.CSRF.ErrorHandler (Scala). # - A FQCN that implements play.filters.csrf.CSRFErrorHandler (Java). # - provided, indicates that the application has bound an instance of play.filters.csrf.CSRF.ErrorHandler through some # other mechanism. # If null, will attempt to load a class called CSRFErrorHandler in the root package, otherwise if that's # not found, will default to play.filters.csrf.CSRF.CSRFHttpErrorHandler, which delegates to the configured # HttpRequestHandler. errorHandler = null } # Security headers filter configuration headers { # The X-Frame-Options header. If null, the header is not set. frameOptions = "DENY" # The X-XSS-Protection header. If null, the header is not set. xssProtection = "1; mode=block" # The X-Content-Type-Options header. If null, the header is not set. contentTypeOptions = "nosniff" # The X-Permitted-Cross-Domain-Policies header. If null, the header is not set. permittedCrossDomainPolicies = "master-only" # The Content-Security-Policy header. If null, the header is not set. contentSecurityPolicy = "default-src 'self'" } # CORS filter configuration cors { # The path prefixes to filter. pathPrefixes = ["/"] # The allowed origins. If null, all origins are allowed. allowedOrigins = null # The allowed HTTP methods. If null, all methods are allowed allowedHttpMethods = null # The allowed HTTP headers. If null, all headers are allowed. allowedHttpHeaders = null # The exposed headers exposedHeaders = [] # Whether to support credentials supportsCredentials = true # The maximum amount of time the CORS meta data should be cached by the client preflightMaxAge = 1 hour } # GZip filter configuration gzip { # The buffer size to use for gzipped bytes bufferSize = 8k # The maximum amount of content to buffer for gzipping in order to calculate the content length before falling back # to chunked encoding. chunkedThreshold = 100k } }