play.filters

headers

package headers

Visibility
  1. Public
  2. All

Type Members

  1. case class DefaultSecurityHeadersConfig(frameOptions: Option[String], xssProtection: Option[String], contentTypeOptions: Option[String], permittedCrossDomainPolicies: Option[String], contentSecurityPolicy: Option[String]) extends SecurityHeadersConfig with Product with Serializable

    A type safe configuration object for setting security headers.

    A type safe configuration object for setting security headers.

    frameOptions

    "X-Frame-Options":

    xssProtection

    "X-XSS-Protection":

    contentTypeOptions

    "X-Content-Type-Options"

    permittedCrossDomainPolicies

    "X-Permitted-Cross-Domain-Policies".

    contentSecurityPolicy

    "Content-Security-Policy"

  2. trait SecurityHeadersConfig extends AnyRef

    SecurityHeaders trait.

    SecurityHeaders trait. The default case class doesn't use it, but if you create a class which may return different values based off the header and the result, this is where to start.

  3. class SecurityHeadersFilter extends Filter

    The case class that implements the filter.

    The case class that implements the filter. This gives you the most control, but you may want to use the apply() method on the companion singleton for convenience.

  4. class SecurityHeadersParser extends AnyRef

    Parses out a SecurityHeadersConfig from play.api.Configuration (usually this means application.conf).

Value Members

  1. object SecurityHeadersFilter

    This class sets a number of common security headers on the HTTP request.

    This class sets a number of common security headers on the HTTP request.

    NOTE: Because these are security headers, they are "secure by default." If the filter is applied, but these fields are NOT defined in Configuration, the defaults on the filter are NOT omitted, but are instead set to the strictest possible value.

    • {{play.filters.headers.frameOptions}} - sets frameOptions. Some("DENY") by default.
    • {{play.filters.headers.xssProtection}} - sets xssProtection. Some("1; mode=block") by default.
    • {{play.filters.headers.contentTypeOptions}} - sets contentTypeOptions. Some("nosniff") by default.
    • {{play.filters.headers.permittedCrossDomainPolicies}} - sets permittedCrossDomainPolicies. Some("master-only") by default.
    • {{play.filters.headers.contentSecurityPolicy}} - sets contentSecurityPolicy. Some("default-src 'self'") by default.
    See also

    Cross Domain Policy File Specification

    Content-Security-Policy

    X-XSS-Protection

    X-Content-Type-Options

    X-Frame-Options

Ungrouped