SecurityHeadersPlugin Schema

Schema definition for the Security Headers Plugin, which adds essential security HTTP headers to protect against common web vulnerabilities.

Schema Information

Property	Value
Schema URL	`https://rustybeam.net/schema/SecurityHeadersPlugin`
Parent Schema	https://rustybeam.net/schema/UtilityPlugin
Description	Security HTTP headers for protection against XSS, clickjacking, and other web vulnerabilities

Properties

Property	Type	Cardinality	Description
csp_policy	https://rustybeam.net/schema/Text	0..1	Content Security Policy directive. Defaults to "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'".
hsts_max_age	https://rustybeam.net/schema/Number	0..1	HTTP Strict Transport Security max-age in seconds. Defaults to 31536000 (1 year). Set to 0 to disable HSTS.
hsts_include_subdomains	https://rustybeam.net/schema/Boolean	0..1	Whether to include subdomains in HSTS policy. Defaults to true. Adds includeSubDomains directive.
hsts_preload	https://rustybeam.net/schema/Boolean	0..1	Whether to enable HSTS preload. Defaults to false. Adds preload directive for browser preload lists.
frame_options	https://rustybeam.net/schema/Text	0..1	X-Frame-Options header value: "DENY", "SAMEORIGIN", or "ALLOW-FROM uri". Defaults to "SAMEORIGIN". Prevents clickjacking.
content_type_options	https://rustybeam.net/schema/Boolean	0..1	Whether to add X-Content-Type-Options: nosniff header. Defaults to true. Prevents MIME type sniffing attacks.
referrer_policy	https://rustybeam.net/schema/Text	0..1	Referrer-Policy header value: "no-referrer", "origin", "strict-origin-when-cross-origin", etc. Controls referrer information sent.
permissions_policy	https://rustybeam.net/schema/Text	0..1	Permissions-Policy header (formerly Feature-Policy). Controls browser feature access like camera, microphone, geolocation.
name	https://rustybeam.net/schema/Text	0..1	Plugin instance name for identification. Defaults to "security-headers" if not specified.

Usage Examples

Basic Security Headers (Recommended Defaults)

<tr itemscope itemtype="https://rustybeam.net/schema/SecurityHeadersPlugin">
    <span itemprop="library">file://./plugins/librusty_beam_security_headers.so</span>
</tr>

Strict Security Configuration

<tr itemscope itemtype="https://rustybeam.net/schema/SecurityHeadersPlugin">
    <span itemprop="library">file://./plugins/librusty_beam_security_headers.so</span>
    <span itemprop="csp_policy">default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self' data:; font-src 'self'</span>
    <span itemprop="hsts_max_age">63072000</span>
    <span itemprop="hsts_include_subdomains">true</span>
    <span itemprop="hsts_preload">true</span>
    <span itemprop="frame_options">DENY</span>
    <span itemprop="referrer_policy">no-referrer</span>
</tr>

API-focused Security

<tr itemscope itemtype="https://rustybeam.net/schema/SecurityHeadersPlugin">
    <span itemprop="library">file://./plugins/librusty_beam_security_headers.so</span>
    <span itemprop="csp_policy">default-src 'none'; frame-ancestors 'none'</span>
    <span itemprop="frame_options">DENY</span>
    <span itemprop="content_type_options">true</span>
    <span itemprop="referrer_policy">no-referrer</span>
    <span itemprop="name">api_security</span>
</tr>

Development-friendly Configuration

<tr itemscope itemtype="https://rustybeam.net/schema/SecurityHeadersPlugin">
    <span itemprop="library">file://./plugins/librusty_beam_security_headers.so</span>
    <span itemprop="csp_policy">default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data: https:</span>
    <span itemprop="hsts_max_age">0</span>
    <span itemprop="frame_options">SAMEORIGIN</span>
    <span itemprop="name">dev_security</span>
</tr>

Advanced Permissions Policy

<tr itemscope itemtype="https://rustybeam.net/schema/SecurityHeadersPlugin">
    <span itemprop="library">file://./plugins/librusty_beam_security_headers.so</span>
    <span itemprop="permissions_policy">camera=(), microphone=(), geolocation=(), payment=()</span>
    <span itemprop="referrer_policy">strict-origin-when-cross-origin</span>
</tr>

Security Headers Generated

Header	Purpose	Example Value
`Content-Security-Policy`	Prevents XSS and injection attacks	`default-src 'self'; script-src 'self'`
`Strict-Transport-Security`	Enforces HTTPS connections	`max-age=31536000; includeSubDomains`
`X-Frame-Options`	Prevents clickjacking attacks	`SAMEORIGIN`
`X-Content-Type-Options`	Prevents MIME sniffing	`nosniff`
`Referrer-Policy`	Controls referrer information	`strict-origin-when-cross-origin`
`Permissions-Policy`	Controls browser feature access	`camera=(), microphone=()`

Default Security Stance
The Security Headers Plugin applies security-first defaults that provide good protection while maintaining compatibility. For production applications, review and customize each header based on your specific security requirements.

Content Security Policy (CSP) Guidelines

Common CSP Directives

Directive	Purpose	Example
`default-src`	Fallback for other directives	`'self'`
`script-src`	JavaScript execution sources	`'self' 'unsafe-inline'`
`style-src`	CSS stylesheet sources	`'self' 'unsafe-inline'`
`img-src`	Image sources	`'self' data: https:`
`connect-src`	AJAX, WebSocket sources	`'self' wss://api.example.com`
`frame-ancestors`	Embedding restrictions	`'none'`

CSP Security Levels

Level	Policy	Use Case
Strict	`default-src 'none'; script-src 'self'; style-src 'self'`	High-security applications
Balanced	`default-src 'self'; script-src 'self' 'unsafe-inline'`	Most web applications
Permissive	`default-src 'self' 'unsafe-inline' 'unsafe-eval'`	Development, legacy apps

HSTS Configuration

HSTS Deployment Strategy

Start Small: max-age=300 (5 minutes) for testing
Increase Gradually: max-age=86400 (1 day) after testing
Production: max-age=31536000 (1 year) with subdomains
Preload: Add preload directive for maximum security

HSTS Examples

# Testing
Strict-Transport-Security: max-age=300

# Development
Strict-Transport-Security: max-age=86400; includeSubDomains

# Production
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Schema Inheritance

This schema inherits from the UtilityPlugin schema, which provides:

logfile - Log file path
directory - Directory configuration
enabled - Plugin enable/disable state

And ultimately from the base Plugin schema, which provides:

library - Plugin library path
plugin - Base plugin reference property

Security Best Practices

Security Considerations

Test CSP Policies: Use report-only mode first to identify issues
HSTS Commitment: HSTS is difficult to undo once deployed
Subdomain Impact: includeSubDomains affects all subdomains
Preload Lists: HSTS preload is a permanent commitment
Frame Options: DENY is more secure than SAMEORIGIN

Progressive Security Enhancement

Phase 1: Basic headers (Content-Type-Options, Frame-Options)
Phase 2: Referrer Policy and basic CSP
Phase 3: HSTS with short max-age
Phase 4: Strict CSP and full HSTS
Phase 5: Permissions Policy and HSTS preload

Validation Rules

hsts_max_age must be a non-negative integer (0 disables HSTS)
frame_options must be one of: "DENY", "SAMEORIGIN", or "ALLOW-FROM uri"
content_type_options must be "true" or "false" if specified
referrer_policy must be a valid referrer policy value
csp_policy should be a valid Content Security Policy directive
permissions_policy should follow Permissions Policy syntax
The name property should be unique if multiple security header plugins are used

Plugin Pipeline Placement
The Security Headers Plugin should be placed late in the plugin pipeline, after content generation but before compression. This ensures security headers are applied to all responses while allowing compression to work on the final response.

Common Security Header Values

Referrer Policy Options

no-referrer - Never send referrer information
origin - Send only origin (no path/query)
strict-origin - Send origin only for same-protocol requests
strict-origin-when-cross-origin - Full URL for same-origin, origin only for cross-origin
same-origin - Full URL for same-origin only

Permissions Policy Examples

# Disable all features
camera=(), microphone=(), geolocation=(), payment=()

# Allow for same origin only
camera=(self), microphone=(self)

# Allow for specific origins
camera=(self "https://trusted.example.com")

# Mixed permissions
camera=(), microphone=(self), geolocation=(self "https://maps.example.com")

Testing Security Headers

Browser Developer Tools

# Check headers in browser console
console.log(document.querySelectorAll('*').length); // Should work with proper CSP
console.log(document.domain); // Check HSTS enforcement

Online Security Scanners

Mozilla Observatory: https://observatory.mozilla.org/
Security Headers: https://securityheaders.com/
CSP Evaluator: https://csp-evaluator.withgoogle.com/
HSTS Preload: https://hstspreload.org/

Command Line Testing

# Check headers with curl
curl -I https://example.com/

# Test CSP enforcement
curl -H "Content-Security-Policy-Report-Only: default-src 'self'" https://example.com/

# Verify HSTS
curl -I -H "Host: example.com" http://example.com/

Integration with Other Plugins

CORS Plugin: Works together for comprehensive security
File Handler Plugin: Security headers applied to all served content
Compression Plugin: Should be placed before compression
Access Log Plugin: Logs security header responses
Redirect Plugin: Can redirect HTTP to HTTPS for HSTS compliance

Troubleshooting

Issue	Symptom	Solution
CSP violations	Console errors, blocked resources	Use CSP report-only mode, adjust policy
HSTS not working	HTTP requests not redirected	Ensure HTTPS is available, check max-age
Frame embedding blocked	iframes don't load	Adjust frame_options or use CSP frame-ancestors
Mixed content warnings	HTTPS page loading HTTP resources	Update CSP to use HTTPS sources only