GameServerWeb.Plugs.SecurityHeaders
(game_server_web v1.0.935)
Copy Markdown
Sets baseline security headers on every response.
These headers apply to all requests — static assets, API endpoints, and
browser pages alike. Router-level pipelines may override individual headers
(e.g. Content-Security-Policy) for specific scopes.
Headers set:
| Header | Value | Purpose |
|---|---|---|
X-Content-Type-Options | nosniff | Prevents MIME type sniffing |
X-Frame-Options | SAMEORIGIN | Prevents clickjacking |
Referrer-Policy | strict-origin-when-cross-origin | Limits referrer leakage |
Permissions-Policy | (restrictive) | Limits browser feature access |
Cross-Origin-Resource-Policy | same-origin | Prevents cross-origin embedding |
X-Permitted-Cross-Domain-Policies | none | Prevents Flash/PDF cross-domain |
In production, the x-request-id response header is stripped to avoid
leaking internal correlation identifiers. The request ID remains available
in conn.assigns[:request_id] for logging.