HTTP::SecureHeaders - manage security headers with many safe defaults


    use HTTP::SecureHeaders;
    use Plack::Util;

    my $secure_headers = HTTP::SecureHeaders->new(
        'content_security_policy' => "default-src 'self' https:",

    my $data = [];
    my $headers = Plack::Util::headers($data);


    # =>
    #    'Content-Security-Policy'           => "default-src 'self' https:",
    #    'Strict-Transport-Security'         => 'max-age=631138519',
    #    'X-Content-Type-Options'            => 'nosniff',
    #    'X-Download-Options'                => 'noopen',
    #    'X-Frame-Options'                   => 'SAMEORIGIN',
    #    'X-Permitted-Cross-Domain-Policies' => 'none',
    #    'X-XSS-Protection'                  => '1; mode=block',
    #    'Referrer-Policy'                   => 'strict-origin-when-cross-origin',


HTTP::SecureHeaders manages HTTP headers to protect against XSS attacks, insecure connections, content type sniffing, etc.

NOTE: To protect against these attacks, sanitization of user input values and other protections are also required.



new method is HTTP::SecureHeaders constructor. The following arguments are available.

    my $secure_headers = HTTP::SecureHeaders->new(
        content_security_policy           => "default-src 'self'",
        strict_transport_security         => 'max-age=631138519; includeSubDomains',
        x_content_type_options            => 'nosniff',
        x_download_options                => 'noopen',
        x_frame_options                   => 'DENY',
        x_permitted_cross_domain_policies => 'none',
        x_xss_protection                  => '1',
        referrer_policy                   => 'no-referrer',

By default, the following HTTP headers are set. This default value refers to the following sites

    my $secure_headers = HTTP::SecureHeaders->new()
    # =>

    Content-Security-Policy: default-src 'self' https:; font-src 'self' https: data:; img-src 'self' https: data:; object-src 'none'; script-src https:; style-src 'self' https: 'unsafe-inline'
    Strict-Transport-Security: max-age=631138519
    X-Content-Type-Options: nosniff
    X-Download-Options: noopen
    X-Frame-Options: SAMEORIGIN
    X-Permitted-Cross-Domain-Policies: none
    X-XSS-Protection: 1; mode=block
    Referrer-Policy: strict-origin-when-cross-origin,


Apply the HTTP headers set in HTTP::SecureHeaders to $headers. $headers must be HTTP::Headers or Plack::Util::headers ( HasMethods['exists', 'get', 'set'] ).

NOTE: HTTP header already set in $headers are not applied:

    my $secure_headers = HTTP::SecureHeaders->new(
        'x_frame_options' => 'SAMEORIGIN',

    my $res = Plack::Response->new;
    $res->header('X-Frame-Options', 'DENY');

    $res->header('X-Frame-Options') # => DENY / NOT SAMEORIGIN!


Remove unnecessary HTTP header

For unnecessary HTTP header, use undef in the constructor.

    my $secure_headers = HTTP::SecureHeaders->new(
        content_security_policy => undef,

    my $res = Plack::Response->new;
    $res->header('Content-Security-Policy'); # => undef

For temporarily unnecessary HTTP header, use OPT_OUT:

    my $secure_headers = HTTP::SecureHeaders->new();

    my $res = Plack::Response->new;
    $res->header('Content-Security-Policy', HTTP::SecureHeaders::OPT_OUT);

    $res->header('Content-Security-Policy'); # => undef

NOTE: If you use undef instead of OPT_OUT, HTTP::Headers cannot remove them.

    my $secure_headers = HTTP::SecureHeaders->new();

    my $res = Plack::Response->new;
    $res->header('Content-Security-Policy', undef); # use undef instead of OPT_OUT

    $res->header('Content-Security-Policy'); # => SAMEORIGIN / NO!!!



Copyright (C) kfly8.

This library is free software; you can redistribute it and/or modify it under the same terms as Perl itself.


kfly8 <>