File Coverage

blib/lib/Dancer/Plugin/SecureHeaders.pm

Criterion	Covered	Total	%
statement	17	17	100.0
branch	2	2	100.0
condition			n/a
subroutine	5	5	100.0
pod			n/a
total	24	24	100.0

line	stmt	bran	sub	time	code
1					package Dancer::Plugin::SecureHeaders;
2
3	2		2	647796	use strict;
	2			5
	2			75
4	2		2	10	use warnings;
	2			4
	2			61
5
6	2		2	1201	use Dancer ':syntax';
	2			327781
	2			14
7	2		2	3302	use Dancer::Plugin;
	2			2844
	2			4968
8
9					=head1 NAME
10
11					Dancer::Plugin::SecureHeaders - Automate HTTP Security headers.
12
13					=head1 VERSION
14
15					Version 1.0.3
16
17					=cut
18
19					=for HTML
20
21					=cut
22
23					our $VERSION = '1.0.3';
24
25					=head1 DESCRIPTION
26
27					Automatically add HTTP Security Headers to requests.
28
29					=head1 SYNOPSIS
30
31					Provides sensible default HTTP Security headers. Allows setting the headers in the plugin configuration.
32
33					Will not override any headers set manually.
34
35					=head1 SETTINGS
36
37					=head2 Frame-Options
38
39					Sets the B header. Defaults to B<"DENY">.
40
41					=head2 Content-Security-Policy
42
43					Sets the B header. Defaults to B<"default-src 'self'">.
44
45					Specification for this header is available at L.
46
47					=head2 IE-Settings
48
49					Determines whether to supplier IE-specific headers.
50
51					=head2 IE-Content-Type-Options
52
53					Sets the B header for IE. Defaults to B<"nosniff">.
54
55					=head2 IE-Download-Options
56
57					Sets the B header for IE. Defaults to B<'noopen'>.
58
59					=head2 IE-XSS-Protection
60
61					Sets the B header. Defaults to B<"1; 'mode=block'">.
62
63					=head1 Example Settings (default)
64
65					=begin :text
66
67					plugins:
68					SecureHeaders:
69					Frame-Options: "DENY"
70					Content-Security-Policy: "default-src 'self'"
71					IE-Settings: 1
72					IE-Content-Type-Options: "nosniff"
73					IE-Download-options: "noopen"
74					IE-XSS-Protection: "1; 'mode=block'"
75
76					=end :text
77
78					=cut
79
80					my $settings = plugin_setting;
81					my $frame_options = $settings->{'Frame-Options'} \|\| 'DENY';
82					my $content_security_policy = $settings->{'Content-Security-Policy'} \|\| "default-src 'self'";
83					my $ie_settings = $settings->{'IE-Settings'} \|\| 1;
84					my $ie_content_type = $settings->{'IE-Content-Type-Options'} \|\| 'nosniff';
85					my $ie_download_options = $settings->{'IE-Download-Options'} \|\| 'noopen';
86					my $ie_xss_protection = $settings->{'IE-XSS-Protection'} \|\| "1; 'mode=block'";
87
88					hook after => sub {
89					my $res = shift;
90
91					_add_header('X-Frame-Options', $frame_options, $res);
92					_add_header('X-Content-Security-Policy', $content_security_policy, $res);
93					if ($ie_settings) {
94					_add_header('X-Content-Type-Options', $ie_content_type, $res);
95					_add_header('X-Download-Options', $ie_download_options, $res);
96					_add_header('X-XSS-Protection', $ie_xss_protection, $res);
97					}
98
99					};
100
101					sub _add_header {
102	25		25	40	my $key = shift;
103	25			27	my $value = shift;
104	25			32	my $res = shift;
105
106	25	100		72	unless ($res->header($key)) {
107	23			966	$res->header($key, $value);
108					}
109					}
110
111					=head1 AUTHOR
112
113					Ewen, Colin, C<< >>
114
115					=head1 BUGS
116
117					Please report any bugs or feature requests to C, or through
118					the web interface at L. I will be notified, and then you'll
119					automatically be notified of progress on your bug as I make changes.
120
121
122
123
124					=head1 SUPPORT
125
126					You can find documentation for this module with the perldoc command.
127
128					perldoc Dancer::Plugin::SecureHeaders
129
130
131					You can also look for information at:
132
133					=over 4
134
135					=item * RT: CPAN's request tracker (report bugs here)
136
137					L
138
139					=item * AnnoCPAN: Annotated CPAN documentation
140
141					L
142
143					=item * CPAN Ratings
144
145					L
146
147					=item * Search CPAN
148
149					L
150
151					=back
152
153
154					=head1 ACKNOWLEDGEMENTS
155
156
157					=head1 LICENSE AND COPYRIGHT
158
159					Copyright 2014 Ewen, Colin.
160
161					This program is free software; you can redistribute it and/or modify it
162					under the terms of the the Artistic License (2.0). You may obtain a
163					copy of the full license at:
164
165					L
166
167					Any use, modification, and distribution of the Standard or Modified
168					Versions is governed by this Artistic License. By using, modifying or
169					distributing the Package, you accept this license. Do not use, modify,
170					or distribute the Package, if you do not accept this license.
171
172					If your Modified Version has been derived from a Modified Version made
173					by someone other than you, you are nevertheless required to ensure that
174					your Modified Version complies with the requirements of this license.
175
176					This license does not grant you the right to use any trademark, service
177					mark, tradename, or logo of the Copyright Holder.
178
179					This license includes the non-exclusive, worldwide, free-of-charge
180					patent license to make, have made, use, offer to sell, sell, import and
181					otherwise transfer the Package with respect to any patent claims
182					licensable by the Copyright Holder that are necessarily infringed by the
183					Package. If you institute patent litigation (including a cross-claim or
184					counterclaim) against any party alleging that the Package constitutes
185					direct or contributory patent infringement, then this Artistic License
186					to you shall terminate on the date that such litigation is filed.
187
188					Disclaimer of Warranty: THE PACKAGE IS PROVIDED BY THE COPYRIGHT HOLDER
189					AND CONTRIBUTORS "AS IS' AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES.
190					THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
191					PURPOSE, OR NON-INFRINGEMENT ARE DISCLAIMED TO THE EXTENT PERMITTED BY
192					YOUR LOCAL LAW. UNLESS REQUIRED BY LAW, NO COPYRIGHT HOLDER OR
193					CONTRIBUTOR WILL BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, OR
194					CONSEQUENTIAL DAMAGES ARISING IN ANY WAY OUT OF THE USE OF THE PACKAGE,
195					EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
196
197
198					=cut
199
200					register_plugin;
201
202					1;