Plug that adds various HTTP Headers to make Phoenix/Elixir app more secure
The package can be installed from hex as:
Add plug_secex to your list of dependencies in mix.exs
:
def deps do
[{:plug_secex, "~> 0.1.3"}]
end
Or you can directly install it from github:
def deps do
[{:plug_secex, github: "techgaun/plug_secex"}]
end
If you are using phoenix, you can put the plug in web/router.ex
.
pipeline :browser do
plug PlugSecex
end
You can also specify to override or disable particular set of headers.
pipeline :browser do
plug PlugSecex,
overrides: [
"x-dns-prefetch-control": "on",
"x-frame-options": "DENY",
"custom-header": "value"
],
except: [
"x-powered-by"
]
end
If you need to determine one of these at run time - for instance, in order to use a content security policy that allows resources from a location configured in environment variables - you can pass a "module, function, arguments" tuple; calling that function with those arguments must return a list as shown in the previous example.
pipeline :browser do
plug PlugSecex,
overrides: {MyModule, :overrides, [arg1, arg2]},
except: {MyModule, :exceptions, [arg3]}
end
The supported headers and their values by default are:
"x-content-type-options": "nosniff",
"x-dns-prefetch-control": "off",
"strict-transport-security": "max-age=31536000",
"x-xss-protection": "1; mode=block",
"x-frame-options": "SAMEORIGIN",
"content-security-policy": "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' 'unsafe-eval'",
"cross-origin-window-policy": "deny",
"x-download-options": "noopen",
"x-permitted-cross-domain-policies": "none"
The headers that are removed by default are:
"x-powered-by",
"server"