HTTP::SecureHeaders - manage security headers with many safe defaults
use HTTP::SecureHeaders; use Plack::Util; my $secure_headers = HTTP::SecureHeaders->new( 'content_security_policy' => "default-src 'self' https:", ); my $data = []; my $headers = Plack::Util::headers($data); $secure_headers->apply($headers); $data # => # 'Content-Security-Policy' => "default-src 'self' https:", # 'Strict-Transport-Security' => 'max-age=631138519', # 'X-Content-Type-Options' => 'nosniff', # 'X-Download-Options' => 'noopen', # 'X-Frame-Options' => 'SAMEORIGIN', # 'X-Permitted-Cross-Domain-Policies' => 'none', # 'X-XSS-Protection' => '1; mode=block', # 'Referrer-Policy' => 'strict-origin-when-cross-origin',
HTTP::SecureHeaders manages HTTP headers to protect against XSS attacks, insecure connections, content type sniffing, etc.
NOTE: To protect against these attacks, sanitization of user input values and other protections are also required.
new method is HTTP::SecureHeaders constructor. The following arguments are available.
new
my $secure_headers = HTTP::SecureHeaders->new( content_security_policy => "default-src 'self'", strict_transport_security => 'max-age=631138519; includeSubDomains', x_content_type_options => 'nosniff', x_download_options => 'noopen', x_frame_options => 'DENY', x_permitted_cross_domain_policies => 'none', x_xss_protection => '1', referrer_policy => 'no-referrer', );
By default, the following HTTP headers are set. This default value refers to the following sites https://github.com/github/secure_headers#default-values.
my $secure_headers = HTTP::SecureHeaders->new() # => Content-Security-Policy: default-src 'self' https:; font-src 'self' https: data:; img-src 'self' https: data:; object-src 'none'; script-src https:; style-src 'self' https: 'unsafe-inline' Strict-Transport-Security: max-age=631138519 X-Content-Type-Options: nosniff X-Download-Options: noopen X-Frame-Options: SAMEORIGIN X-Permitted-Cross-Domain-Policies: none X-XSS-Protection: 1; mode=block Referrer-Policy: strict-origin-when-cross-origin,
Apply the HTTP headers set in HTTP::SecureHeaders to $headers. $headers must be HTTP::Headers or Plack::Util::headers ( HasMethods['exists', 'get', 'set'] ).
NOTE: HTTP header already set in $headers are not applied:
my $secure_headers = HTTP::SecureHeaders->new( 'x_frame_options' => 'SAMEORIGIN', ); my $res = Plack::Response->new; $res->header('X-Frame-Options', 'DENY'); $secure_headers->apply($res->headers); $res->header('X-Frame-Options') # => DENY / NOT SAMEORIGIN!
For unnecessary HTTP header, use undef in the constructor.
my $secure_headers = HTTP::SecureHeaders->new( content_security_policy => undef, ) my $res = Plack::Response->new; $secure_headers->apply($res->headers); $res->header('Content-Security-Policy'); # => undef
For temporarily unnecessary HTTP header, use OPT_OUT:
my $secure_headers = HTTP::SecureHeaders->new(); my $res = Plack::Response->new; $res->header('Content-Security-Policy', HTTP::SecureHeaders::OPT_OUT); $secure_headers->apply($res->headers); $res->header('Content-Security-Policy'); # => undef
NOTE: If you use undef instead of OPT_OUT, HTTP::Headers cannot remove them.
my $secure_headers = HTTP::SecureHeaders->new(); my $res = Plack::Response->new; $res->header('Content-Security-Policy', undef); # use undef instead of OPT_OUT $secure_headers->apply($res->headers); $res->header('Content-Security-Policy'); # => SAMEORIGIN / NO!!!
Copyright (C) kfly8.
This library is free software; you can redistribute it and/or modify it under the same terms as Perl itself.
kfly8 <kfly@cpan.org>
To install HTTP::SecureHeaders, copy and paste the appropriate command in to your terminal.
cpanm
cpanm HTTP::SecureHeaders
CPAN shell
perl -MCPAN -e shell install HTTP::SecureHeaders
For more information on module installation, please visit the detailed CPAN module installation guide.