SecurityHeaders: Plugin for setting security related headers
In firesafety: A Collection of Security Related Plugins for 'fiery'
SecurityHeaders R Documentation
Plugin for setting security related headers
Description
This plugin is inspired by Helmet.js and aids
you in setting response headers relevant for security of your fiery server.
All defaults are taken from Helmet.js as well, except for the max-age of the
Strict-Transport-Security header that has been doubled to 2 years which is
the recommendation.
Details
Web security is a complicated subject and it is impossible for this document
to stay current and true at all times as well as be able to learn the user of
all the intricacies of web security. It is strongly advised that you
familiarise yourself with this subject if you plan on exposing a fiery
webserver to the public. A good starting point is
MDN's guide on web security.
This plugin concerns 14 different headers that are in one way or another
implicated in security. Some of them are only relevant if you serve HTML
content on the web and have no effect on e.g. a server providing a REST api.
These have been marked with UI below. While you may turn these off for a
pure API server (by setting them to NULL), it is advised that you only
steer away from the defaults if you have a good grasp of the implications.
The headers are set very efficiently so removing some unneeded ones will only
have an effect on the size of the response, not the handling time.
Headers
Content-Security-Policy (UI)
This header provides finely grained control over what code can be executed on
the site you provide and thus help in preventing cross-site scripting (XSS)
attacks. The configuration of this header is complicated and you can read
more about it at the header reference
and the CSP section of the security guide
The plugin does some light validation of the data structure you provide and
you can use the csp() constructure to get argument tab-completion.
Content-Security-Policy-Report-Only (UI)
This header is like Content-Security-Policy above except that it doesn't
enforce the policy but rather report any violations to a URL of your choice.
The reason for providing this is that setting up CSP correctly can be
difficult and may lead to your site not working correctly. Therefore, if you
apply CSP to an already excisting site it is often a good idea to start with
using this header and monitor where issues may arise before turning on the
policy fully. You provide the URL to send violation reports to with the
report_to directive which should be set to a URL. You can find more
information on this header at
the header reference
Cross-Origin-Embedder-Policy (UI)
This header controls which resources can be embedded in a document. If set
to e.g. require-corp then only resources that implements CORP or CORS can
be embedded. It is not set by default in SecurityHeaders. Read more about this
header at MDN
Cross-Origin-Opener-Policy (UI)
This header controls and restricts access from cross-origin windows opened
from the site. It helps isolate new documents and prevent a type of attack known
as XS-Leaks. Read more about this header at MDN
and about XS-Leaks in the security guide
Cross-Origin-Resource-Policy
This header controls where the given response can be used. If you e.g. return
an image along with Cross-Origin-Resource-Policy: same-site, then this
image is blocked from being loaded by other sites.
Read more about this header at MDN
and about CORP in general in the security guide
Origin-Agent-Cluster (UI)
This header helps isolate documents served from the same site into separate
processes. This can improve performance of other tabs if a resource
intensive tab is opened but also prevent certain information from being
available to code running in the tab. Read more about this header at
MDN
Referrer-Policy (UI)
This header instructs what to include in the Referer header when navigating
away from the document. This can potentially lead to information leakage
which can be alleviated using this header. Read more about this header at
MDN
as well as the security implications of the Referer header
Strict-Transport-Security
This header informs a browser that the given resource should only be
accessed using HTTPS. This preference is cached by the browser and the next
time the resource is accessed over HTTP it is automatically changed to HTTPS
before the request is made. This header should only be sent over HTTPS to
prevent a manipulator-in-the-middle from alterning its settings. In order for
this to happen SecurityHeaders will automatically redirect any HTTP requests to
HTTPS if this header is set. Read more about this header at
MDN
X-Content-Type-Options
This header instruct the client that the MIME type provided by the
Content-Type should be respected and mime-type sniffing avoided. Setting
this can help prevent certain XSS attacks. Read more about this header at
MDN
and about its security implication in the
security guide
X-DNS-Prefetch-Control (UI)
This header controls DNS prefetching and domain name resolution. A browser
may do this in the background when a site is loaded which can reduce latency
when a user clicks a link. However, it may also leak sensitive information so
turning it off may increase user privacy. Read more about this header at
MDN
X-Download-Options (UI)
This is an old header only relevant to Internet Explorer 8 and below that
prevents downloaded content from having access to your site's context.
X-Frame-Options (UI)
This header has been superseeded by the frame-ancestor directive in the
Content-Security-Policy header but may still be good to set for older
browsers. It controls whether a site is allowed to be rendered inside a frame
in another document. Preventing this can prevent click-jacking attacks. Read
more about this header at MDN
X-Permitted-Cross-Domain-Policies
This header controls cross-origin access of a resource from a document
running in a web client such as Adobe Flash Player or Microsoft Silverlight.
The demise of these technologies have made this header less important. Read
more about this header at MDN
X-XSS-Protection (UI)
This header has been deprecated in favor of the more powerful
Content-Security-Policy header. In fact using XSS filtering can incur a
security vulnerability which is why the default for SecurityHeaders is to turn the
feature off (by setting X-XSS-Protection: 0 rather than omitting the
header). Read more about this header at
MDN
Initialization
A new 'SecurityHeaders'-object is initialized using the new() method on the
generator and pass in any settings deviating from the defaults
Usage
security_headers <- SecurityHeaders$new(...)
Fiery plugin
A SecurityHeaders object is a fiery plugin and can be used by passing it to the
attach() method of the fiery server object. Once attached all requests
created will be prepopulated with the given headers. Any request handler is
permitted to remove one or more of the headers to opt out of them.
Active bindings
content_security_policySet or get the value of the
Content-Security-Policy header. See csp() for documentation of its
values
content_security_policy_report_onlySet or get the value of the
Content-Security-Policy-Report-Only header. See csp() for
documentation of its values
cross_origin_embedder_policySet or get the value of the
Cross-Origin-Embedder-Policy. Possible values are "unsafe-none",
"require-corp", and "credentialless"
cross_origin_opener_policySet or get the value of the
Cross-Origin-Opener-Policy. Possible values are "unsafe-none",
"same-origin-allow-popups", "same-origin", and
"noopener-allow-popups"
cross_origin_resource_policySet or get the value of the
Cross-Origin-Resource-Policy. Possible values are "same-site",
"same-origin", and "cross-origin"
origin_agent_clusterSet or get the value of the
Origin-Agent-Cluster. Possible values are TRUE and FALSE
referrer_policySet or get the value of the
Referrer-Policy. Possible values are "no-referrer",
"no-referrer-when-downgrade", "origin", "origin-when-cross-origin",
"same-origin", "strict-origin", "strict-origin-when-cross-origin",
and "unsafe-url"
strict_transport_securitySet or get the value of the
Strict-Transport-Security header. See sts() for documentation of its
values
x_content_type_optionsSet or get the value of the
X-Content-Type-Options. Possible values are TRUE and FALSE
x_dns_prefetch_controlSet or get the value of the
X-DNS-Prefetch-Control. Possible values are TRUE and FALSE
x_download_optionsSet or get the value of the
X-Download-Options. Possible values are TRUE and FALSE
x_frame_optionsSet or get the value of the
X-Frame-Options. Possible values are "DENY" and "SAMEORIGIN"
x_permitted_cross_domain_policiesSet or get the value of the
X-Permitted-Cross-Domain-Policies. Possible values are "none",
"master-only", "by-content-type", "by-ftp-filename", "all", and
"none-this-response"
x_xss_protectionSet or get the value of the
X-XSS-Protection. Possible values are TRUE and FALSE
nameThe name of the plugin
Methods
Public methods
Method new()
Initialize a new SecurityHeaders object
Usage
SecurityHeaders$new(
content_security_policy = csp(default_src = "self", script_src = "self",
script_src_attr = "none", style_src = c("self", "https:", "unsafe-inline"), img_src =
c("self", "data:"), font_src = c("self", "https:", "data:"), object_src = "none",
base_uri = "self", form_action = "self", frame_ancestors = "self",
upgrade_insecure_requests = TRUE),
content_security_policy_report_only = NULL,
cross_origin_embedder_policy = NULL,
cross_origin_opener_policy = "same-origin",
cross_origin_resource_policy = "same-origin",
origin_agent_cluster = TRUE,
referrer_policy = "no-referrer",
strict_transport_security = sts(max_age = 63072000, include_sub_domains = TRUE),
x_content_type_options = TRUE,
x_dns_prefetch_control = FALSE,
x_download_options = TRUE,
x_frame_options = "SAMEORIGIN",
x_permitted_cross_domain_policies = "none",
x_xss_protection = FALSE
)
Arguments
content_security_policySet the value of the Content-Security-Policy
header. See csp() for documentation of its values
content_security_policy_report_onlySet the value of the
Content-Security-Policy-Report-Only header. See csp() for
documentation of its values
cross_origin_embedder_policySet the value of the
Cross-Origin-Embedder-Policy. Possible values are "unsafe-none",
"require-corp", and "credentialless"
cross_origin_opener_policySet the value of the
Cross-Origin-Opener-Policy. Possible values are "unsafe-none",
"same-origin-allow-popups", "same-origin", and
"noopener-allow-popups"
cross_origin_resource_policySet the value of the
Cross-Origin-Resource-Policy. Possible values are "same-site",
"same-origin", and "cross-origin"
origin_agent_clusterSet the value of the
Origin-Agent-Cluster. Possible values are TRUE and FALSE
referrer_policySet the value of the
Referrer-Policy. Possible values are "no-referrer",
"no-referrer-when-downgrade", "origin", "origin-when-cross-origin",
"same-origin", "strict-origin", "strict-origin-when-cross-origin",
and "unsafe-url"
strict_transport_securitySet the value of the
Strict-Transport-Security header. See sts() for documentation of its
values
x_content_type_optionsSet the value of the
X-Content-Type-Options. Possible values are TRUE and FALSE
x_dns_prefetch_controlSet the value of the
X-DNS-Prefetch-Control. Possible values are TRUE and FALSE
x_download_optionsSet the value of the
X-Download-Options. Possible values are TRUE and FALSE
x_frame_optionsSet the value of the
X-Frame-Options. Possible values are "DENY" and "SAMEORIGIN"
x_permitted_cross_domain_policiesSet the value of the
X-Permitted-Cross-Domain-Policies. Possible values are "none",
"master-only", "by-content-type", "by-ftp-filename", "all", and
"none-this-response"
x_xss_protectionSet the value of the
X-XSS-Protection. Possible values are TRUE and FALSE
Method on_attach()
Method for use by fiery when attached as a plugin. Should
not be called directly.
Usage
SecurityHeaders$on_attach(app, ...)
Arguments
appThe fiery server object
...Ignored
Method clone()
The objects of this class are cloneable with this method.
Usage
SecurityHeaders$clone(deep = FALSE)
Arguments
deepWhether to make a deep clone.
Examples
# Create a plugin that turns off UI-related security headers
security_headers <- SecurityHeaders$new(
content_security_policy = NULL,
cross_origin_embedder_policy = NULL,
cross_origin_opener_policy = NULL,
origin_agent_cluster = NULL,
referrer_policy = NULL,
x_dns_prefetch_control = NULL,
x_download_options = NULL,
x_frame_options = NULL,
x_xss_protection = NULL
)
# Use it with a fiery server
app <- fiery::Fire$new()
app$attach(security_headers)
firesafety documentation built on Sept. 10, 2025, 10:27 a.m.
R Package Documentation
Browse R Packages
We want your feedback!
Note that we can't provide technical support on individual packages. You should contact the package authors for that.
| SecurityHeaders | R Documentation |
Plugin for setting security related headers
Description
This plugin is inspired by Helmet.js and aids
you in setting response headers relevant for security of your fiery server.
All defaults are taken from Helmet.js as well, except for the max-age of the
Strict-Transport-Security header that has been doubled to 2 years which is
the recommendation.
Details
Web security is a complicated subject and it is impossible for this document to stay current and true at all times as well as be able to learn the user of all the intricacies of web security. It is strongly advised that you familiarise yourself with this subject if you plan on exposing a fiery webserver to the public. A good starting point is MDN's guide on web security.
This plugin concerns 14 different headers that are in one way or another
implicated in security. Some of them are only relevant if you serve HTML
content on the web and have no effect on e.g. a server providing a REST api.
These have been marked with UI below. While you may turn these off for a
pure API server (by setting them to NULL), it is advised that you only
steer away from the defaults if you have a good grasp of the implications.
The headers are set very efficiently so removing some unneeded ones will only
have an effect on the size of the response, not the handling time.
Headers
Content-Security-Policy (UI)
This header provides finely grained control over what code can be executed on the site you provide and thus help in preventing cross-site scripting (XSS) attacks. The configuration of this header is complicated and you can read more about it at the header reference and the CSP section of the security guide
The plugin does some light validation of the data structure you provide and
you can use the csp() constructure to get argument tab-completion.
Content-Security-Policy-Report-Only (UI)
This header is like Content-Security-Policy above except that it doesn't
enforce the policy but rather report any violations to a URL of your choice.
The reason for providing this is that setting up CSP correctly can be
difficult and may lead to your site not working correctly. Therefore, if you
apply CSP to an already excisting site it is often a good idea to start with
using this header and monitor where issues may arise before turning on the
policy fully. You provide the URL to send violation reports to with the
report_to directive which should be set to a URL. You can find more
information on this header at
the header reference
Cross-Origin-Embedder-Policy (UI)
This header controls which resources can be embedded in a document. If set
to e.g. require-corp then only resources that implements CORP or CORS can
be embedded. It is not set by default in SecurityHeaders. Read more about this
header at MDN
Cross-Origin-Opener-Policy (UI)
This header controls and restricts access from cross-origin windows opened from the site. It helps isolate new documents and prevent a type of attack known as XS-Leaks. Read more about this header at MDN and about XS-Leaks in the security guide
Cross-Origin-Resource-Policy
This header controls where the given response can be used. If you e.g. return
an image along with Cross-Origin-Resource-Policy: same-site, then this
image is blocked from being loaded by other sites.
Read more about this header at MDN
and about CORP in general in the security guide
Origin-Agent-Cluster (UI)
This header helps isolate documents served from the same site into separate processes. This can improve performance of other tabs if a resource intensive tab is opened but also prevent certain information from being available to code running in the tab. Read more about this header at MDN
Referrer-Policy (UI)
This header instructs what to include in the Referer header when navigating
away from the document. This can potentially lead to information leakage
which can be alleviated using this header. Read more about this header at
MDN
as well as the security implications of the Referer header
Strict-Transport-Security
This header informs a browser that the given resource should only be accessed using HTTPS. This preference is cached by the browser and the next time the resource is accessed over HTTP it is automatically changed to HTTPS before the request is made. This header should only be sent over HTTPS to prevent a manipulator-in-the-middle from alterning its settings. In order for this to happen SecurityHeaders will automatically redirect any HTTP requests to HTTPS if this header is set. Read more about this header at MDN
X-Content-Type-Options
This header instruct the client that the MIME type provided by the
Content-Type should be respected and mime-type sniffing avoided. Setting
this can help prevent certain XSS attacks. Read more about this header at
MDN
and about its security implication in the
security guide
X-DNS-Prefetch-Control (UI)
This header controls DNS prefetching and domain name resolution. A browser may do this in the background when a site is loaded which can reduce latency when a user clicks a link. However, it may also leak sensitive information so turning it off may increase user privacy. Read more about this header at MDN
X-Download-Options (UI)
This is an old header only relevant to Internet Explorer 8 and below that prevents downloaded content from having access to your site's context.
X-Frame-Options (UI)
This header has been superseeded by the frame-ancestor directive in the
Content-Security-Policy header but may still be good to set for older
browsers. It controls whether a site is allowed to be rendered inside a frame
in another document. Preventing this can prevent click-jacking attacks. Read
more about this header at MDN
X-Permitted-Cross-Domain-Policies
This header controls cross-origin access of a resource from a document running in a web client such as Adobe Flash Player or Microsoft Silverlight. The demise of these technologies have made this header less important. Read more about this header at MDN
X-XSS-Protection (UI)
This header has been deprecated in favor of the more powerful
Content-Security-Policy header. In fact using XSS filtering can incur a
security vulnerability which is why the default for SecurityHeaders is to turn the
feature off (by setting X-XSS-Protection: 0 rather than omitting the
header). Read more about this header at
MDN
Initialization
A new 'SecurityHeaders'-object is initialized using the new() method on the
generator and pass in any settings deviating from the defaults
Usage
security_headers <- SecurityHeaders$new(...)
|
Fiery plugin
A SecurityHeaders object is a fiery plugin and can be used by passing it to the
attach() method of the fiery server object. Once attached all requests
created will be prepopulated with the given headers. Any request handler is
permitted to remove one or more of the headers to opt out of them.
Active bindings
content_security_policySet or get the value of the
Content-Security-Policyheader. Seecsp()for documentation of its valuescontent_security_policy_report_onlySet or get the value of the
Content-Security-Policy-Report-Onlyheader. Seecsp()for documentation of its valuescross_origin_embedder_policySet or get the value of the
Cross-Origin-Embedder-Policy. Possible values are"unsafe-none","require-corp", and"credentialless"cross_origin_opener_policySet or get the value of the
Cross-Origin-Opener-Policy. Possible values are"unsafe-none","same-origin-allow-popups","same-origin", and"noopener-allow-popups"cross_origin_resource_policySet or get the value of the
Cross-Origin-Resource-Policy. Possible values are"same-site","same-origin", and"cross-origin"origin_agent_clusterSet or get the value of the
Origin-Agent-Cluster. Possible values areTRUEandFALSEreferrer_policySet or get the value of the
Referrer-Policy. Possible values are"no-referrer","no-referrer-when-downgrade","origin","origin-when-cross-origin","same-origin","strict-origin","strict-origin-when-cross-origin", and"unsafe-url"strict_transport_securitySet or get the value of the
Strict-Transport-Securityheader. Seests()for documentation of its valuesx_content_type_optionsSet or get the value of the
X-Content-Type-Options. Possible values areTRUEandFALSEx_dns_prefetch_controlSet or get the value of the
X-DNS-Prefetch-Control. Possible values areTRUEandFALSEx_download_optionsSet or get the value of the
X-Download-Options. Possible values areTRUEandFALSEx_frame_optionsSet or get the value of the
X-Frame-Options. Possible values are"DENY"and"SAMEORIGIN"x_permitted_cross_domain_policiesSet or get the value of the
X-Permitted-Cross-Domain-Policies. Possible values are"none","master-only","by-content-type","by-ftp-filename","all", and"none-this-response"x_xss_protectionSet or get the value of the
X-XSS-Protection. Possible values areTRUEandFALSEnameThe name of the plugin
Methods
Public methods
Method new()
Initialize a new SecurityHeaders object
Usage
SecurityHeaders$new(
content_security_policy = csp(default_src = "self", script_src = "self",
script_src_attr = "none", style_src = c("self", "https:", "unsafe-inline"), img_src =
c("self", "data:"), font_src = c("self", "https:", "data:"), object_src = "none",
base_uri = "self", form_action = "self", frame_ancestors = "self",
upgrade_insecure_requests = TRUE),
content_security_policy_report_only = NULL,
cross_origin_embedder_policy = NULL,
cross_origin_opener_policy = "same-origin",
cross_origin_resource_policy = "same-origin",
origin_agent_cluster = TRUE,
referrer_policy = "no-referrer",
strict_transport_security = sts(max_age = 63072000, include_sub_domains = TRUE),
x_content_type_options = TRUE,
x_dns_prefetch_control = FALSE,
x_download_options = TRUE,
x_frame_options = "SAMEORIGIN",
x_permitted_cross_domain_policies = "none",
x_xss_protection = FALSE
)Arguments
content_security_policySet the value of the
Content-Security-Policyheader. Seecsp()for documentation of its valuescontent_security_policy_report_onlySet the value of the
Content-Security-Policy-Report-Onlyheader. Seecsp()for documentation of its valuescross_origin_embedder_policySet the value of the
Cross-Origin-Embedder-Policy. Possible values are"unsafe-none","require-corp", and"credentialless"cross_origin_opener_policySet the value of the
Cross-Origin-Opener-Policy. Possible values are"unsafe-none","same-origin-allow-popups","same-origin", and"noopener-allow-popups"cross_origin_resource_policySet the value of the
Cross-Origin-Resource-Policy. Possible values are"same-site","same-origin", and"cross-origin"origin_agent_clusterSet the value of the
Origin-Agent-Cluster. Possible values areTRUEandFALSEreferrer_policySet the value of the
Referrer-Policy. Possible values are"no-referrer","no-referrer-when-downgrade","origin","origin-when-cross-origin","same-origin","strict-origin","strict-origin-when-cross-origin", and"unsafe-url"strict_transport_securitySet the value of the
Strict-Transport-Securityheader. Seests()for documentation of its valuesx_content_type_optionsSet the value of the
X-Content-Type-Options. Possible values areTRUEandFALSEx_dns_prefetch_controlSet the value of the
X-DNS-Prefetch-Control. Possible values areTRUEandFALSEx_download_optionsSet the value of the
X-Download-Options. Possible values areTRUEandFALSEx_frame_optionsSet the value of the
X-Frame-Options. Possible values are"DENY"and"SAMEORIGIN"x_permitted_cross_domain_policiesSet the value of the
X-Permitted-Cross-Domain-Policies. Possible values are"none","master-only","by-content-type","by-ftp-filename","all", and"none-this-response"x_xss_protectionSet the value of the
X-XSS-Protection. Possible values areTRUEandFALSE
Method on_attach()
Method for use by fiery when attached as a plugin. Should
not be called directly.
Usage
SecurityHeaders$on_attach(app, ...)
Arguments
appThe fiery server object
...Ignored
Method clone()
The objects of this class are cloneable with this method.
Usage
SecurityHeaders$clone(deep = FALSE)
Arguments
deepWhether to make a deep clone.
Examples
# Create a plugin that turns off UI-related security headers
security_headers <- SecurityHeaders$new(
content_security_policy = NULL,
cross_origin_embedder_policy = NULL,
cross_origin_opener_policy = NULL,
origin_agent_cluster = NULL,
referrer_policy = NULL,
x_dns_prefetch_control = NULL,
x_download_options = NULL,
x_frame_options = NULL,
x_xss_protection = NULL
)
# Use it with a fiery server
app <- fiery::Fire$new()
app$attach(security_headers)
R Package Documentation
Browse R Packages
We want your feedback!
Note that we can't provide technical support on individual packages. You should contact the package authors for that.
Embedding an R snippet on your website
Add the following code to your website.
For more information on customizing the embed code, read Embedding Snippets.