Manages application of security headers with many safe defaults
Alternatives To Secure_headers
Project NameStarsDownloadsRepos Using ThisPackages Using ThisMost Recent CommitTotal ReleasesLatest ReleaseOpen IssuesLicenseLanguage
Authelia16,532121 hours ago34September 19, 202297apache-2.0Go
The Single Sign-On Multi-Factor portal for web apps
a month ago12mitHTML
⚠️ Browser fingerprinting via favicon!
14 days ago134otherRuby
Web Application Security Scanner Framework
Secure_headers3,06948672 months ago107August 02, 202225mitRuby
Manages application of security headers with many safe defaults
5 months ago1July 06, 202187mitGo
sso, aka S.S.Octopus, aka octoboi, is a single sign-on solution for securing internal services
5 days ago41apache-2.0Python
Modern, privacy-friendly, and detailed web analytics that works without cookies or JS.
16 days ago2mitPython
A tool to find subdomains and interesting things hidden inside, external Javascript files of page, folder, and Github.
Csrf8571291636 months ago14January 21, 20222bsd-3-clauseGo
gorilla/csrf provides Cross Site Request Forgery (CSRF) prevention middleware for Go web applications & services 🔒
Php Auth8423213a year ago38April 21, 202130mitPHP
Authentication for PHP. Simple, lightweight and secure.
Flask Talisman777
52 years ago1November 13, 201519apache-2.0Python
HTTP security headers for Flask
Alternatives To Secure_headers
Select To Compare

Alternative Project Comparisons

Secure Headers Build + Test

main branch represents 6.x line. See the upgrading to 4.x doc, upgrading to 5.x doc, or upgrading to 6.x doc for instructions on how to upgrade. Bug fixes should go in the 5.x branch for now.

The gem will automatically apply several headers that are related to security. This includes:

It can also mark all http cookies with the Secure, HttpOnly and SameSite attributes. This is on default but can be turned off by using config.cookies = SecureHeaders::OPT_OUT.

secure_headers is a library with a global config, per request overrides, and rack middleware that enables you customize your application settings.



If you do not supply a default configuration, exceptions will be raised. If you would like to use a default configuration (which is fairly locked down), just call SecureHeaders::Configuration.default without any arguments or block.

All nil values will fallback to their default values. SecureHeaders::OPT_OUT will disable the header entirely.

Word of caution: The following is not a default configuration per se. It serves as a sample implementation of the configuration. You should read more about these headers and determine what is appropriate for your requirements.

SecureHeaders::Configuration.default do |config|
  config.cookies = {
    secure: true, # mark all cookies as "Secure"
    httponly: true, # mark all cookies as "HttpOnly"
    samesite: {
      lax: true # mark all cookies as SameSite=lax
  # Add "; preload" and submit the site to for best protection.
  config.hsts = "max-age=#{1.week.to_i}"
  config.x_frame_options = "DENY"
  config.x_content_type_options = "nosniff"
  config.x_xss_protection = "1; mode=block"
  config.x_download_options = "noopen"
  config.x_permitted_cross_domain_policies = "none"
  config.referrer_policy = %w(origin-when-cross-origin strict-origin-when-cross-origin)
  config.csp = {
    # "meta" values. these will shape the header, but the values are not included in the header.
    preserve_schemes: true, # default: false. Schemes are removed from host sources to save bytes and discourage mixed content.
    disable_nonce_backwards_compatibility: true, # default: false. If false, `unsafe-inline` will be added automatically when using nonces. If true, it won't. See #403 for why you'd want this.

    # directive values: these values will directly translate into source directives
    default_src: %w('none'),
    base_uri: %w('self'),
    block_all_mixed_content: true, # see
    child_src: %w('self'), # if child-src isn't supported, the value for frame-src will be set.
    connect_src: %w(wss:),
    font_src: %w('self' data:),
    form_action: %w('self',
    frame_ancestors: %w('none'),
    img_src: %w( data:),
    manifest_src: %w('self'),
    media_src: %w(,
    object_src: %w('self'),
    sandbox: true, # true and [] will set a maximally restrictive setting
    plugin_types: %w(application/x-shockwave-flash),
    script_src: %w('self'),
    script_src_elem: %w('self'),
    script_src_attr: %w('self'),
    style_src: %w('unsafe-inline'),
    style_src_elem: %w('unsafe-inline'),
    style_src_attr: %w('unsafe-inline'),
    worker_src: %w('self'),
    upgrade_insecure_requests: true, # see
    report_uri: %w(
  # This is available only from 3.5.0; use the `report_only: true` setting for 3.4.1 and below.
  config.csp_report_only = config.csp.merge({
    img_src: %w(,
    report_uri: %w(

Default values

All headers except for PublicKeyPins and ClearSiteData have a default value. The default set of headers is:

Content-Security-Policy: default-src 'self' https:; font-src 'self' https: data:; img-src 'self' https: data:; object-src 'none'; script-src https:; style-src 'self' https: 'unsafe-inline'
Strict-Transport-Security: max-age=631138519
X-Content-Type-Options: nosniff
X-Download-Options: noopen
X-Frame-Options: sameorigin
X-Permitted-Cross-Domain-Policies: none
X-Xss-Protection: 1; mode=block

API configurations

Which headers you decide to use for API responses is entirely a personal choice. Things like X-Frame-Options seem to have no place in an API response and would be wasting bytes. While this is true, browsers can do funky things with non-html responses. At the minimum, we suggest CSP:

SecureHeaders::Configuration.override(:api) do |config|
  config.csp = { default_src: 'none' }
  config.hsts = SecureHeaders::OPT_OUT
  config.x_frame_options = SecureHeaders::OPT_OUT
  config.x_content_type_options = SecureHeaders::OPT_OUT
  config.x_xss_protection = SecureHeaders::OPT_OUT
  config.x_permitted_cross_domain_policies = SecureHeaders::OPT_OUT

However, I would consider these headers anyways depending on your load and bandwidth requirements.


This project originated within the Security team at Twitter. An archived fork from the point of transition is here: twitter-archive/secure_headers.

Contributors include:

  • Neil Matatall @oreoshake
  • Chris Aniszczyk
  • Artur Dryomov
  • Bjrn Mland
  • Arthur Chiu
  • Jonathan Viney
  • Jeffrey Horn
  • David Collazo
  • Brendon Murphy
  • William Makley
  • Reed Loden
  • Noah Kantrowitz
  • Wyatt Anderson
  • Salimane Adjao Moustapha
  • Francois Chagnon
  • Jeff Hodges
  • Ian Melven
  • Daro Javier Cravero
  • Logan Hasson
  • Raul E Rangel
  • Steve Agalloco
  • Nate Collings
  • Josh Kalderimis
  • Alex Kwiatkowski
  • Julich Mera
  • Jesse Storimer
  • Tom Daniels
  • Kolja Dummann
  • Jean-Philippe Doyle
  • Blake Hitchcock
  • vanderhoorn
  • orthographic-pedant
  • Narsimham Chelluri

If you've made a contribution and see your name missing from the list, make a PR and add it!

Similar libraries

Popular Security Projects
Popular Cookie Projects
Popular Security Categories
Related Searches

Get A Weekly Email With Trending Projects For These Categories
No Spam. Unsubscribe easily at any time.
Content Security Policy