§Configuring Security Headers
Play provides a security headers filter that can be used to configure some default headers in the HTTP response to mitigate security issues and provide an extra level of defense for new applications.
§Enabling the security headers filter
Note: As of Play 2.6.x, the Security Headers filter is included in Play’s list of default filters that are applied automatically to projects. See the Filters page for more information.
To enable the security headers filter manually, add the security headers filter to your filters in
play.filters.enabled += "play.filters.headers.SecurityHeadersFilter"
§Configuring the security headers
Scaladoc is available in the play.filters.headers package.
The filter will set headers in the HTTP response automatically. The settings can be configured through the following settings in
play.filters.headers.frameOptions- sets X-Frame-Options, “DENY” by default.
play.filters.headers.xssProtection- sets X-XSS-Protection, “1; mode=block” by default.
play.filters.headers.contentTypeOptions- sets X-Content-Type-Options, “nosniff” by default.
play.filters.headers.permittedCrossDomainPolicies- sets X-Permitted-Cross-Domain-Policies, “master-only” by default.
play.filters.headers.referrerPolicy- sets Referrer Policy, “origin-when-cross-origin, strict-origin-when-cross-origin” by default.
play.filters.headers.contentSecurityPolicy- sets Content-Security-Policy, “default-src ‘self’” by default.
contentSecurityPolicyproperty has been deprecated and the default value has been set to
nullin Play 2.7. Please see CspFilter for details.
Any of the headers can be disabled by setting a configuration value of
null, for example:
play.filters.headers.frameOptions = null
For a full listing of configuration options, see the Play filters
Security headers may be overridden in specific actions using
withHeaders on the result:
Ok("Index").withHeaders(SecurityHeadersFilter.REFERRER_POLICY -> "my page-specific header")
Any security headers not mentioned in
withHeaders will use the usual configured values
(if present) or the defaults. Action-specific security headers are ignored unless
play.filters.headers.allowActionSpecificHeaders is set to
true in the configuration.
Next: Configuring CORS
Found an error in this documentation? The source code for this page can be found here. After reading the documentation guidelines, please feel free to contribute a pull request. Have questions or advice to share? Go to our community forums to start a conversation with the community.