Plug that adds various HTTP Headers to make Phoenix/Elixir app more secure
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
config
lib
test
.formatter.exs
.gitignore
LICENSE
README.md
mix.exs
mix.lock

README.md

PlugSecex Hex version Hex downloads Build Status Coverage Status

Plug that adds various HTTP Headers to make Phoenix/Elixir app more secure

Warning: This is work in progress.

Installation

The package can be installed from hex as:

Add plug_secex to your list of dependencies in mix.exs:

def deps do
  [{:plug_secex, "~> 0.1.1"}]
end

Or you can directly install it from github:

def deps do
  [{:plug_secex, github: "techgaun/plug_secex"}]
end

Example

If you are using phoenix, you can put the plug in web/router.ex.

pipeline :browser do
  plug PlugSecex
end

You can also specify to override or disable particular set of headers.

pipeline :browser do
  plug PlugSecex,
    overrides: [
      "x-dns-prefetch-control": "on",
      "x-frame-options": "DENY",
      "custom-header": "value"
    ],
    except: [
      "x-powered-by"
    ]
end

The supported headers and their values by default are:

"x-content-type-options": "nosniff",
"x-dns-prefetch-control": "off",
"strict-transport-security": "max-age=31536000",
"x-xss-protection": "1; mode=block",
"x-frame-options": "SAMEORIGIN",
"content-security-policy": "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' 'unsafe-eval'",
"cross-origin-window-policy": "deny",
"x-download-options": "noopen",
"x-permitted-cross-domain-policies": "none"

The headers that are removed by default are:

"x-powered-by",
"server"