Skip to content

Plug that adds various HTTP Headers to make Phoenix/Elixir app more secure

License

Notifications You must be signed in to change notification settings

techgaun/plug_secex

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

25 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

PlugSecex Hex version Hex downloads Build Status Coverage Status

Plug that adds various HTTP Headers to make Phoenix/Elixir app more secure

Installation

The package can be installed from hex as:

Add plug_secex to your list of dependencies in mix.exs:

def deps do
  [{:plug_secex, "~> 0.1.3"}]
end

Or you can directly install it from github:

def deps do
  [{:plug_secex, github: "techgaun/plug_secex"}]
end

Example

If you are using phoenix, you can put the plug in web/router.ex.

pipeline :browser do
  plug PlugSecex
end

You can also specify to override or disable particular set of headers.

pipeline :browser do
  plug PlugSecex,
    overrides: [
      "x-dns-prefetch-control": "on",
      "x-frame-options": "DENY",
      "custom-header": "value"
    ],
    except: [
      "x-powered-by"
    ]
end

If you need to determine one of these at run time - for instance, in order to use a content security policy that allows resources from a location configured in environment variables - you can pass a "module, function, arguments" tuple; calling that function with those arguments must return a list as shown in the previous example.

pipeline :browser do
  plug PlugSecex,
    overrides: {MyModule, :overrides, [arg1, arg2]},
    except: {MyModule, :exceptions, [arg3]}
end

The supported headers and their values by default are:

"x-content-type-options": "nosniff",
"x-dns-prefetch-control": "off",
"strict-transport-security": "max-age=31536000",
"x-xss-protection": "1; mode=block",
"x-frame-options": "SAMEORIGIN",
"content-security-policy": "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' 'unsafe-eval'",
"cross-origin-window-policy": "deny",
"x-download-options": "noopen",
"x-permitted-cross-domain-policies": "none"

The headers that are removed by default are:

"x-powered-by",
"server"

About

Plug that adds various HTTP Headers to make Phoenix/Elixir app more secure

Topics

Resources

License

Stars

Watchers

Forks

Sponsor this project

 

Packages

No packages published

Languages