Security Headers
SecurityMiddleware adds security-related HTTP headers to protect against common web vulnerabilities.
Basic Usage
Section titled “Basic Usage”// All security headers with defaultsserver.use(SecurityMiddleware())Configuration
Section titled “Configuration”server.use(SecurityMiddleware(SecurityMiddleware.Options( // Content Security Policy contentSecurityPolicy = true, cspDirectives = Map( "default-src" -> "'self'", "script-src" -> "'self'", "img-src" -> "'self' data:", "style-src" -> "'self' 'unsafe-inline'", ),
// Frame protection frameguard = true, frameguardAction = "DENY", // or "SAMEORIGIN"
// HSTS hsts = true, hstsMaxAge = 15552000, // 180 days hstsIncludeSubDomains = true, hstsPreload = false,
// Cross-Origin policies crossOriginEmbedderPolicy = true, crossOriginOpenerPolicy = true, crossOriginResourcePolicy = true,
// Other protections noSniff = true, xssFilter = true, xssFilterMode = "1; mode=block", referrerPolicy = true, referrerPolicyDirective = "no-referrer", dnsPrefetchControl = true, ieNoOpen = true, originAgentCluster = true, permittedCrossDomainPolicies = "none", expectCt = true, expectCtMaxAge = 86400, expectCtEnforce = true,)))Options Reference
Section titled “Options Reference”| Option | Default | Description |
|---|---|---|
contentSecurityPolicy | true | Enable CSP header |
cspDirectives | default-src 'self' | CSP directive map |
frameguard | true | X-Frame-Options |
frameguardAction | "DENY" | DENY or SAMEORIGIN |
hsts | true | Strict-Transport-Security |
hstsMaxAge | 15552000 | HSTS max-age (seconds) |
hstsIncludeSubDomains | true | Include subdomains in HSTS |
hstsPreload | false | HSTS preload flag |
crossOriginEmbedderPolicy | true | COEP header |
crossOriginOpenerPolicy | true | COOP header |
crossOriginResourcePolicy | true | CORP header |
noSniff | true | X-Content-Type-Options: nosniff |
xssFilter | true | X-XSS-Protection |
referrerPolicy | true | Referrer-Policy |
referrerPolicyDirective | "no-referrer" | Referrer policy value |
dnsPrefetchControl | true | X-DNS-Prefetch-Control |
expectCt | true | Expect-CT header |
Presets
Section titled “Presets”Essential
Section titled “Essential”A minimal set of important security headers:
server.use(SecurityMiddleware.essential())Security headers optimized for JSON API servers:
server.use(SecurityMiddleware.api())Headers Applied
Section titled “Headers Applied”When fully enabled, the following headers are set:
Content-Security-PolicyCross-Origin-Embedder-Policy: require-corpCross-Origin-Opener-Policy: same-originCross-Origin-Resource-Policy: same-originStrict-Transport-SecurityX-Frame-OptionsX-Content-Type-Options: nosniffX-XSS-ProtectionReferrer-PolicyX-DNS-Prefetch-Control: offX-Download-Options: noopenOrigin-Agent-Cluster: ?1X-Permitted-Cross-Domain-Policies: noneExpect-CT