play.modules { enabled += "play.filters.csrf.CSRFModule" enabled += "play.filters.cors.CORSModule" enabled += "play.filters.headers.SecurityHeadersModule" enabled += "play.filters.hosts.AllowedHostsModule" enabled += "play.filters.gzip.GzipFilterModule" enabled += "play.filters.https.RedirectHttpsModule" } play.filters { # Default list of enabled filters, configured by play.api.http.EnabledFilters enabled = [ play.filters.csrf.CSRFFilter, play.filters.headers.SecurityHeadersFilter, play.filters.hosts.AllowedHostsFilter ] # CSRF config csrf { # Token configuration token { # The token name name = "csrfToken" # Whether tokens should be signed or not sign = true } # Cookie configuration cookie { # If non null, the CSRF token will be placed in a cookie with this name name = null # Whether the cookie should be set to secure secure = ${play.http.session.secure} # Whether the cookie should have the HTTP only flag set httpOnly = false } # How much of the body should be buffered when looking for the token in the request body body.bufferSize = ${play.http.parser.maxMemoryBuffer} # Bypass the CSRF check if this origin is trusted by the CORS filter bypassCorsTrustedOrigins = true # Header configuration header { # The name of the header to accept CSRF tokens from. name = "Csrf-Token" # Defines headers that must be present to perform the CSRF check. If any of these headers are present, the CSRF # check will be performed. # # By default, we only perform the CSRF check if there are Cookies or an Authorization header. # Generally, CSRF attacks use a user's browser to execute requests on the client's behalf. If the user does not # have an active session, there is no danger of this happening. # # Setting this to null or an empty object will protect all requests. protectHeaders { Cookie = "*" Authorization = "*" } # Defines headers that can be used to bypass the CSRF check if any are present. A value of "*" simply # checks for the presence of the header. A string value checks for a match on that string. bypassHeaders {} } # Method lists method { # If non empty, then requests will be checked if the method is not in this list. whiteList = ["GET", "HEAD", "OPTIONS"] # The black list is only used if the white list is empty. # Only check methods in this list. blackList = [] } # Content type lists # If both white lists and black lists are empty, then all content types are checked. contentType { # If non empty, then requests will be checked if the content type is not in this list. whiteList = [] # The black list is only used if the white list is empty. # Only check content types in this list. blackList = [] } routeModifiers { # If non empty, then requests will be checked if the route does not have this modifier. This is how we enable the # nocsrf modifier, but you may choose to use a different modifier (such as "api") if you plan to check the # modifier in your code for other purposes. whiteList = ["nocsrf"] # If non empty, then requests will be checked if the route contains this modifier # The black list is used only if the white list is empty blackList = [] } # The error handler. # Used by Play's built in DI support to locate and bind a request handler. Must be one of the following: # - A FQCN that implements play.filters.csrf.CSRF.ErrorHandler (Scala). # - A FQCN that implements play.filters.csrf.CSRFErrorHandler (Java). # - provided, indicates that the application has bound an instance of play.filters.csrf.CSRF.ErrorHandler through some # other mechanism. # If null, will attempt to load a class called CSRFErrorHandler in the root package, otherwise if that's # not found, will default to play.filters.csrf.CSRF.CSRFHttpErrorHandler, which delegates to the configured # HttpRequestHandler. errorHandler = null } # Security headers filter configuration headers { # The X-Frame-Options header. If null, the header is not set. frameOptions = "DENY" # The X-XSS-Protection header. If null, the header is not set. xssProtection = "1; mode=block" # The X-Content-Type-Options header. If null, the header is not set. contentTypeOptions = "nosniff" # The X-Permitted-Cross-Domain-Policies header. If null, the header is not set. permittedCrossDomainPolicies = "master-only" # The Content-Security-Policy header. If null, the header is not set. contentSecurityPolicy = "default-src 'self'" # The Referrer-Policy header. If null, the header is not set. referrerPolicy = "origin-when-cross-origin, strict-origin-when-cross-origin" # If true, allow an action to use .withHeaders to replace one or more of the above headers allowActionSpecificHeaders = false } # Allowed hosts filter configuration hosts { # A list of valid hosts (e.g. "example.com") or suffixes of valid hosts (e.g. ".example.com") # Note that ".example.com" will match example.com and any subdomain of example.com, with or without a trailing dot. # "." matches all domains, and "" matches an empty or nonexistent host. allowed = ["localhost", ".local"] } # CORS filter configuration cors { # The path prefixes to filter. pathPrefixes = ["/"] # The allowed origins. If null, all origins are allowed. allowedOrigins = null # The allowed HTTP methods. If null, all methods are allowed allowedHttpMethods = null # The allowed HTTP headers. If null, all headers are allowed. allowedHttpHeaders = null # The exposed headers exposedHeaders = [] # Whether to support credentials supportsCredentials = true # The maximum amount of time the CORS meta data should be cached by the client preflightMaxAge = 1 hour # Whether to serve forbidden origins as non-CORS requests serveForbiddenOrigins = false } # GZip filter configuration gzip { # The buffer size to use for gzipped bytes bufferSize = 8k # The maximum amount of content to buffer for gzipping in order to calculate the content length before falling back # to chunked encoding. chunkedThreshold = 100k contentType { # If non empty, then a response will only be compressed if its content type is in this list. whiteList = [] # The black list is only used if the white list is empty. # Compress all responses except the ones whose content type is in this list. blackList = [] } } # Configuration for redirection to HTTPS and Strict-Transport-Security https { # A boolean defining whether the redirect to HTTPS is enabled. # A value of null means enabled only in Prod mode, but disabled in Dev/Test. redirectEnabled = null # The Strict-Transport-Security header is used to signal to browsers to always use https. # This header is added whenever the filter makes the redirect. # Set to null to disable the header. strictTransportSecurity = "max-age=31536000; includeSubDomains" # Configures the redirect status code used if the request is not secure. # By default, uses HTTP status code 308, which is a permanent redirect that does # not change the HTTP method according to [RFC 7238](https://tools.ietf.org/html/rfc7538). redirectStatusCode = 308 # The HTTPS port to use in the Redirect's Location URL. # e.g. port = 9443 results in https://playframework.com:9443/some/url port = null port = ${?play.server.https.port} # default to same HTTPS port as play server port = ${?https.port} # read https.port system property if provided explicitly } }