Where can I set security HTTP headers in a Play! framework web application project? I want to set headers like X-Content-Type-Options
to nosniff
and X-Frame-Options
to DENY
.
I have tried to set these headers in nginx.conf
file, but it is not working with ZAP tool as ZAP tool is giving an alert that these headers are missing after setting it into this file.
link: https://github.com/playframework/playframework/pull/2524
I have tried the solution in the documentation on Configuring Security Headers but the class SecurityHeadersFilter
is not present in the package said.
I am using Play! 2.2.1 and Java is used for the controllers.
Probably the best place to do this is nginx
if you're using it as a reverse proxy for your Play app. Instead of adding the headers in your nginx configuration's http
section (as per your comment ) try adding it in a server
block.
server {
listen 80;
server_name *.something.com;
location /stuff {
alias ../;
add_header X-Frame-Options deny;
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options nosniff;
add_header X-Content-Security-Policy "default-src 'self'; script-src 'self' ssl.google-analytics.com; img-src 'self' ssl.google-analytics.com";
}
...
}
results in the headers being correctly set:
Using the OWASP ZAP tool I can verify that the header is set correctly. With the X-Frame-Options
header not set:
When the X-Frame-Options
header is set:
Upgrade to Play 2.3.1 and follow the configure security headers instructions on the playframework site. Note that the upgrade to 2.3. 1 is essential as 2.3. 0 contains a bug which requires a workaround to make it happen.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.