ESC
Type to search...
S
Soli Docs

Security Headers Functions

Automatic security header injection for HTTP responses. Protect your application from common web vulnerabilities with CSP, HSTS, X-Frame-Options, and more.

enable_security_headers() / disable_security_headers()

Enable or disable automatic security header injection on all responses.

Note

Security headers are automatically added to all responses via middleware when enabled.

enable_security_headers()
# All subsequent responses will include configured security headers

disable_security_headers()
# Disable automatic injection

set_csp(policy, report_only?)

Sets the Content-Security-Policy header to prevent XSS attacks.

Parameters
  • policy (String) - CSP policy string
  • report_only (Bool, optional) - Use Content-Security-Policy-Report-Only (doesn't block)
set_csp("default-src 'self'; script-src 'self' 'unsafe-inline'")
set_csp("script-src 'self' https://cdn.example.com", true)  # Report only

set_hsts(max_age, include_subdomains?, preload?)

Sets the Strict-Transport-Security header to enforce HTTPS.

Parameters
  • max_age (Int) - Max age in seconds (31536000 = 1 year)
  • include_subdomains (Bool, optional) - Include subdomains flag (default: true)
  • preload (Bool, optional) - Add preload directive (default: false)
set_hsts(31536000, true, false)  # 1 year, include subdomains

prevent_clickjacking() / allow_same_origin_frames()

Control framing of your site to prevent clickjacking attacks.

prevent_clickjacking()   # X-Frame-Options: DENY
allow_same_origin_frames()  # X-Frame-Options: SAMEORIGIN

set_content_type_options()

Sets X-Content-Type-Options: nosniff to prevent MIME type sniffing.

set_content_type_options()  # Prevents browsers from interpreting files as a different MIME type

set_xss_protection(mode)

Sets the X-XSS-Protection header (legacy browsers).

set_xss_protection("1; mode=block")

Preset Configurations

secure_headers_basic()

Applies basic security headers:

  • X-Frame-Options: SAMEORIGIN
  • X-Content-Type-Options: nosniff

secure_headers_strict()

Applies strict security headers including:

  • Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'
  • Strict-Transport-Security: max-age=31536000; includeSubDomains
  • X-Frame-Options: DENY
  • X-Content-Type-Options: nosniff
  • Referrer-Policy: strict-origin
  • Permissions-Policy: geolocation=(), microphone=(), camera=()
  • Cross-Origin-Embedder-Policy: require-corp

secure_headers_api()

Minimal headers suitable for JSON APIs:

  • X-Content-Type-Options: nosniff
  • Referrer-Policy: strict-origin

secure_headers()

Applies recommended security headers for web apps.

Additional Functions

set_referrer_policy(policy)

Sets the Referrer-Policy header.

set_permissions_policy(policy)

Sets the Permissions-Policy header.

set_coep(policy)

Sets Cross-Origin-Embedder-Policy (e.g., "require-corp").

set_coop(policy)

Sets Cross-Origin-Opener-Policy (e.g., "same-origin").

set_corp(policy)

Sets Cross-Origin-Resource-Policy (e.g., "same-site").

reset_security_headers()

Resets all security header configuration.

get_security_headers()

Gets the current security headers configuration.

Complete Example

# In your app initialization or bootstrap file
enable_security_headers()
secure_headers_strict()

# Or customize specific headers
set_csp("default-src 'self'; script-src 'self' https://cdn.example.com")
set_hsts(31536000, true, true)  # 1 year with preload
prevent_clickjacking()
set_content_type_options()
set_referrer_policy("strict-origin-when-cross-origin")