spark_security_headers
Security headers middleware for Spark applications.
Features
- Content Security Policy (CSP)
- HTTP Strict Transport Security (HSTS)
- X-Frame-Options
- X-Content-Type-Options
- X-XSS-Protection
- Referrer-Policy
- Permissions-Policy
- Preset configurations: strict and permissive
Installation
dependencies:
spark_security_headers: ^1.0.0Usage
Strict Defaults (Recommended)
import 'package:spark_security_headers/spark_security_headers.dart';
final handler = Pipeline()
.addMiddleware(securityHeadersMiddleware(
SecurityHeadersConfig.strict(),
))
.addHandler(myRouter);This applies:
- HSTS: max-age=63072000; includeSubDomains; preload
- X-Frame-Options: DENY
- X-Content-Type-Options: nosniff
- X-XSS-Protection: 1; mode=block
- Referrer-Policy: strict-origin-when-cross-origin
- Permissions-Policy: geolocation=(), camera=(), microphone=()
- CSP: default-src 'self'; form-action 'self'; frame-ancestors 'none'
Custom Configuration
securityHeadersMiddleware(SecurityHeadersConfig(
contentSecurityPolicy: ContentSecurityPolicy.fromDirectives([
"default-src 'self'",
"script-src 'self' https://cdn.example.com",
"style-src 'self' 'unsafe-inline'",
"img-src 'self' data: https:",
]),
strictTransportSecurity: StrictTransportSecurity(
maxAge: 31536000,
includeSubDomains: true,
),
xFrameOptions: XFrameOptions.sameOrigin,
xContentTypeOptions: XContentTypeOptions.nosniff,
referrerPolicy: ReferrerPolicy.strictOriginWhenCrossOrigin,
permissionsPolicy: PermissionsPolicy.fromMap({
'geolocation': '()',
'microphone': 'self',
}),
))Permissive (No Headers)
securityHeadersMiddleware(SecurityHeadersConfig.permissive())