search

anotherhale / secure_headers

HTTP security headers for Phoenix/Plug
Apache License 2.0
45 stars 11 forks source link

Can't make it work #8

Open happysalada opened 6 years ago

happysalada commented 6 years ago

I am using latest version on master I added this in my config.exs

config :secure_headers, SecureHeaders,
  config: [
    content_security_policy: "require-sri-for script;",
    http_public_key_pins: "",
    strict_transport_security: "max-age=631138519",
    x_content_type_options: "nosniff",
    x_download_options: "noopen",
    x_frame_options: "sameorigin",
    x_permitted_cross_domain_policies: "none",
    x_xss_protection: "1; mode=block"
  ]

I added the application to be started in mix.exs (even though I believe it's not necessary anymore with the latest versions of elixir)

I added the plug in the router

Just leaving the default configuration, the headers are not set properly

If I set it explicitely in the router with (for example) plug(SecureHeaders, secure_headers: [config: [content_security_policy: "require-sri-for script;"]]) I get the following message in the console The Content-Security-Policy directive 'require-sri-for' is implemented behind a flag which is currently disabled.

Any pointers on how to make this work ?