play.modules {
  enabled += "play.filters.csrf.CSRFModule"
  enabled += "play.filters.cors.CORSModule"
  enabled += "play.filters.headers.SecurityHeadersModule"
  enabled += "play.filters.hosts.AllowedHostsModule"
  enabled += "play.filters.gzip.GzipFilterModule"
}

play.filters {

  # CSRF config
  csrf {

    # Token configuration
    token {
      # The token name
      name = "csrfToken"

      # Whether tokens should be signed or not
      sign = true
    }

    # Cookie configuration
    cookie {
      # If non null, the CSRF token will be placed in a cookie with this name
      name = null

      # Whether the cookie should be set to secure
      secure = ${play.http.session.secure}

      # Whether the cookie should have the HTTP only flag set
      httpOnly = false
    }

    # How much of the body should be buffered when looking for the token in the request body
    body.bufferSize = ${play.http.parser.maxMemoryBuffer}

    # Bypass the CSRF check if this origin is trusted by the CORS filter
    bypassCorsTrustedOrigins = true

    # Header configuration
    header {

      # The name of the header to accept CSRF tokens from.
      name = "Csrf-Token"


      # Defines headers that must be present to perform the CSRF check. If any of these headers are present, the CSRF
      # check will be performed.
      #
      # By default, we only perform the CSRF check if there are Cookies or an Authorization header.
      # Generally, CSRF attacks use a user's browser to execute requests on the client's behalf. If the user does not
      # have an active session, there is no danger of this happening.
      #
      # Setting this to null or an empty object will protect all requests.
      protectHeaders {
        Cookie = "*"
        Authorization = "*"
      }

      # Defines headers that can be used to bypass the CSRF check if any are present. A value of "*" simply
      # checks for the presence of the header. A string value checks for a match on that string.
      bypassHeaders {}
    }

    # Method lists
    method {
      # If non empty, then requests will be checked if the method is not in this list.
      whiteList = ["GET", "HEAD", "OPTIONS"]

      # The black list is only used if the white list is empty.
      # Only check methods in this list.
      blackList = []
    }

    # Content type lists
    # If both white lists and black lists are empty, then all content types are checked.
    contentType {
      # If non empty, then requests will be checked if the content type is not in this list.
      whiteList = []

      # The black list is only used if the white list is empty.
      # Only check content types in this list.
      blackList = []
    }

    # The error handler.
    # Used by Play's built in DI support to locate and bind a request handler.  Must be one of the following:
    # - A FQCN that implements play.filters.csrf.CSRF.ErrorHandler (Scala).
    # - A FQCN that implements play.filters.csrf.CSRFErrorHandler (Java).
    # - provided, indicates that the application has bound an instance of play.filters.csrf.CSRF.ErrorHandler through some
    #   other mechanism.
    # If null, will attempt to load a class called CSRFErrorHandler in the root package, otherwise if that's
    # not found, will default to play.filters.csrf.CSRF.CSRFHttpErrorHandler, which delegates to the configured
    # HttpRequestHandler.
    errorHandler = null
  }

  # Security headers filter configuration
  headers {

    # The X-Frame-Options header. If null, the header is not set.
    frameOptions = "DENY"

    # The X-XSS-Protection header. If null, the header is not set.
    xssProtection = "1; mode=block"

    # The X-Content-Type-Options header. If null, the header is not set.
    contentTypeOptions = "nosniff"

    # The X-Permitted-Cross-Domain-Policies header. If null, the header is not set.
    permittedCrossDomainPolicies = "master-only"

    # The Content-Security-Policy header. If null, the header is not set.
    contentSecurityPolicy = "default-src 'self'"
  }

  # Allowed hosts filter configuration
  hosts {

    # A list of valid hosts (e.g. "example.com") or suffixes of valid hosts (e.g. ".example.com")
    # Note that ".example.com" will match example.com and any subdomain of example.com, with or without a trailing dot.
    # "." matches all domains, and "" matches an empty or nonexistent host.
    allowed = ["localhost", ".local"]
  }

  # CORS filter configuration
  cors {

    # The path prefixes to filter.
    pathPrefixes = ["/"]

    # The allowed origins. If null, all origins are allowed.
    allowedOrigins = null

    # The allowed HTTP methods. If null, all methods are allowed
    allowedHttpMethods = null

    # The allowed HTTP headers. If null, all headers are allowed.
    allowedHttpHeaders = null

    # The exposed headers
    exposedHeaders = []

    # Whether to support credentials
    supportsCredentials = true

    # The maximum amount of time the CORS meta data should be cached by the client
    preflightMaxAge = 1 hour
  }

  # GZip filter configuration
  gzip {

    # The buffer size to use for gzipped bytes
    bufferSize = 8k

    # The maximum amount of content to buffer for gzipping in order to calculate the content length before falling back
    # to chunked encoding.
    chunkedThreshold = 100k

  }
}