Secure Plugin

secure

Secure middleware provides protection against cross-site scripting (XSS) attack, content type sniffing, clickjacking, insecure connection and other code injection attacks.

Configuration

Name Type Description
xss_protection string Provides protection against cross-site scripting attack (XSS) by setting the X-XSS-Protection header. Default value 1; mode=block.
content_type_nosniff string Provides protection against overriding Content-Type header by setting the X-Content-Type-Options header. Default value nosniff.
x_frame_options string Can be used to indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe> or <object>. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.provides protection against clickjacking. Default value SAMEORIGIN. Possible values: SAMEORIGIN - The page can only be displayed in a frame on the same origin as the page itself. DENY - The page cannot be displayed in a frame, regardless of the site attempting to do so. ALLOW-FROM uri - The page can only be displayed in a frame on the specified origin.
hsts_max_age number Sets the Strict-Transport-Security header to indicate how long (in seconds) browsers should remember that this site is only to be accessed using HTTPS. This reduces your exposure to some SSL-stripping man-in-the-middle (MITM) attacks. Default value 0.
hsts_exclude_subdomains bool Won’t include subdomains tag in the Strict Transport Security header, excluding all subdomains from security policy. It has no effect unless HSTSMaxAge is set to a non-zero value. Default value false.
content_security_policy string Sets the Content-Security-Policy header providing security against cross-site scripting (XSS), clickjacking and other code injection attacks resulting from execution of malicious content in the trusted web page context. Default value "".