/ 
PAGI-0.001008
/ PAGI::Middleware::SecurityHeaders

NAME

PAGI::Middleware::SecurityHeaders - Security headers middleware

SYNOPSIS

use PAGI::Middleware::Builder;

my $app = builder {
    enable 'SecurityHeaders',
        x_frame_options         => 'DENY',
        x_content_type_options  => 'nosniff',
        x_xss_protection        => '1; mode=block',
        strict_transport_security => 'max-age=31536000; includeSubDomains';
    $my_app;
};

DESCRIPTION

PAGI::Middleware::SecurityHeaders adds common security-related HTTP headers to responses. These headers help protect against various web vulnerabilities.

CONFIGURATION

  • x_frame_options (default: 'SAMEORIGIN')

    Controls whether the page can be displayed in a frame. Values: 'DENY', 'SAMEORIGIN', or 'ALLOW-FROM uri'.

  • x_content_type_options (default: 'nosniff')

    Prevents MIME type sniffing.

  • x_xss_protection (default: '1; mode=block')

    Enables XSS filter in browsers.

  • referrer_policy (default: 'strict-origin-when-cross-origin')

    Controls the Referer header.

  • strict_transport_security (default: undef)

    HSTS header. Set to enable HTTPS enforcement.

  • content_security_policy (default: undef)

    CSP header. Set to define content security policy.

  • permissions_policy (default: undef)

    Permissions-Policy header for feature control.

SECURITY HEADERS

X-Frame-Options

Protects against clickjacking attacks by controlling whether the page can be displayed in an iframe.

X-Content-Type-Options

Prevents browsers from MIME-sniffing responses, which can lead to security vulnerabilities.

X-XSS-Protection

Enables the browser's XSS filter.

Referrer-Policy

Controls how much referrer information is sent with requests.

Strict-Transport-Security

Forces browsers to only use HTTPS for future requests to this domain.

Content-Security-Policy

Defines approved sources for content, helping prevent XSS and data injection.

SEE ALSO

PAGI::Middleware - Base class for middleware