Setting HTTP headers in a Play! framework web application

Question

Where can I set security HTTP headers in a Play! framework web application project? I want to set headers like X-Content-Type-Options to nosniff and X-Frame-Options to DENY .

I have tried to set these headers in nginx.conf file, but it is not working with ZAP tool as ZAP tool is giving an alert that these headers are missing after setting it into this file.

link: https://github.com/playframework/playframework/pull/2524

I have tried the solution in the documentation on Configuring Security Headers but the class SecurityHeadersFilter is not present in the package said.

I am using Play! 2.2.1 and Java is used for the controllers.

Answer 1

Probably the best place to do this is nginx if you're using it as a reverse proxy for your Play app. Instead of adding the headers in your nginx configuration's http section (as per your comment ) try adding it in a server block.

server {
        listen 80;
        server_name *.something.com;

        location /stuff {
                alias ../;

                add_header X-Frame-Options deny; 
                add_header X-XSS-Protection "1; mode=block"; 
                add_header X-Content-Type-Options nosniff; 
                add_header X-Content-Security-Policy "default-src 'self'; script-src 'self' ssl.google-analytics.com; img-src 'self' ssl.google-analytics.com";
        }
        ...
}

results in the headers being correctly set:

Using the OWASP ZAP tool I can verify that the header is set correctly. With the X-Frame-Options header not set:

When the X-Frame-Options header is set:

Answer 2

Upgrade to Play 2.3.1 and follow the configure security headers instructions on the playframework site. Note that the upgrade to 2.3. 1 is essential as 2.3. 0 contains a bug which requires a workaround to make it happen.