Package

play.filters

headers

Permalink

package headers

Visibility
  1. Public
  2. All

Type Members

  1. trait SecurityHeadersComponents extends AnyRef

    Permalink

    The security headers components.

  2. case class SecurityHeadersConfig(frameOptions: Option[String] = Some("DENY"), xssProtection: Option[String] = Some("1; mode=block"), contentTypeOptions: Option[String] = Some("nosniff"), permittedCrossDomainPolicies: Option[String] = Some("master-only"), contentSecurityPolicy: Option[String] = None, referrerPolicy: Option[String] = ..., allowActionSpecificHeaders: Boolean = false) extends Product with Serializable

    Permalink

    A type safe configuration object for setting security headers.

    A type safe configuration object for setting security headers.

    frameOptions

    "X-Frame-Options":

    xssProtection

    "X-XSS-Protection":

    contentTypeOptions

    "X-Content-Type-Options"

    permittedCrossDomainPolicies

    "X-Permitted-Cross-Domain-Policies"

    contentSecurityPolicy

    "Content-Security-Policy" - this is deprecated in favor of the dedicated CSPFilter.

    referrerPolicy

    "Referrer-Policy"

    allowActionSpecificHeaders

    Allows specific headers

  3. class SecurityHeadersConfigProvider extends Provider[SecurityHeadersConfig]

    Permalink

    Provider for security headers configuration.

    Provider for security headers configuration.

    Annotations
    @Singleton()
  4. class SecurityHeadersFilter extends EssentialFilter

    Permalink

    The case class that implements the filter.

    The case class that implements the filter. This gives you the most control, but you may want to use the apply() method on the companion singleton for convenience.

    Annotations
    @Singleton()
  5. class SecurityHeadersModule extends SimpleModule

    Permalink

    The security headers module.

Value Members

  1. object SecurityHeadersConfig extends Serializable

    Permalink

    Parses out a SecurityHeadersConfig from play.api.Configuration (usually this means application.conf).

  2. object SecurityHeadersFilter

    Permalink

    This class sets a number of common security headers on the HTTP request.

    This class sets a number of common security headers on the HTTP request.

    NOTE: Because these are security headers, they are "secure by default." If the filter is applied, but these fields are NOT defined in Configuration, the defaults on the filter are NOT omitted, but are instead set to the strictest possible value.

    • {{play.filters.headers.frameOptions}} - sets frameOptions. Some("DENY") by default.
    • {{play.filters.headers.xssProtection}} - sets xssProtection. Some("1; mode=block") by default.
    • {{play.filters.headers.contentTypeOptions}} - sets contentTypeOptions. Some("nosniff") by default.
    • {{play.filters.headers.permittedCrossDomainPolicies}} - sets permittedCrossDomainPolicies. Some("master-only") by default.
    • {{play.filters.headers.contentSecurityPolicy}} - sets contentSecurityPolicy. Some("default-src 'self'") by default.
    • {{play.filters.headers.referrerPolicy}} - sets referrerPolicy. Some("origin-when-cross-origin, strict-origin-when-cross-origin") by default.
    • {{play.filters.headers.allowActionSpecificHeaders}} - sets whether .withHeaders may be used to provide page-specific overrides. False by default.
    See also

    Referrer Policy

    Cross Domain Policy File Specification

    X-XSS-Protection

    X-Content-Type-Options

    X-Frame-Options

Ungrouped