api_security_headers: Add various security related headers to your plumber2 API

In plumber2: Easy and Powerful Web Servers

Add various security related headers to your plumber2 API

Description

This function adds the SecurityHeaders plugin to your plumber2 API. Please consult the documentation for the plugin for up-to-date information on its behaviour.

Usage

api_security_headers(
  api,
  content_security_policy = csp(default_src = "self", script_src = "self",
    script_src_attr = "none", style_src = c("self", "https:", "unsafe-inline"), img_src =
    c("self", "data:"), font_src = c("self", "https:", "data:"), object_src = "none",
    base_uri = "self", form_action = "self", frame_ancestors = "self",
    upgrade_insecure_requests = TRUE),
  content_security_policy_report_only = NULL,
  cross_origin_embedder_policy = NULL,
  cross_origin_opener_policy = "same-origin",
  cross_origin_resource_policy = "same-origin",
  origin_agent_cluster = TRUE,
  referrer_policy = "no-referrer",
  strict_transport_security = sts(max_age = 63072000, include_sub_domains = TRUE),
  x_content_type_options = TRUE,
  x_dns_prefetch_control = FALSE,
  x_download_options = TRUE,
  x_frame_options = "SAMEORIGIN",
  x_permitted_cross_domain_policies = "none",
  x_xss_protection = FALSE
)

Arguments

api	A plumber2 api object to add the plugin to
content_security_policy	Set the value of the Content-Security-Policy header. See firesafety::csp() for documentation of its values
content_security_policy_report_only	Set the value of the Content-Security-Policy-Report-Only header. See firesafety::csp() for documentation of its values
cross_origin_embedder_policy	Set the value of the Cross-Origin-Embedder-Policy. Possible values are "unsafe-none", "require-corp", and "credentialless"
cross_origin_opener_policy	Set the value of the Cross-Origin-Opener-Policy. Possible values are "unsafe-none", "same-origin-allow-popups", "same-origin", and "noopener-allow-popups"
cross_origin_resource_policy	Set the value of the Cross-Origin-Resource-Policy. Possible values are "same-site", "same-origin", and "cross-origin"
origin_agent_cluster	Set the value of the Origin-Agent-Cluster. Possible values are TRUE and FALSE
referrer_policy	Set the value of the Referrer-Policy. Possible values are "no-referrer", "no-referrer-when-downgrade", "origin", "origin-when-cross-origin", "same-origin", "strict-origin", "strict-origin-when-cross-origin", and "unsafe-url"
strict_transport_security	Set the value of the Strict-Transport-Security header. See firesafety::sts() for documentation of its values
x_content_type_options	Set the value of the X-Content-Type-Options. Possible values are TRUE and FALSE
x_dns_prefetch_control	Set the value of the X-DNS-Prefetch-Control. Possible values are TRUE and FALSE
x_download_options	Set the value of the X-Download-Options. Possible values are TRUE and FALSE
x_frame_options	Set the value of the X-Frame-Options. Possible values are "DENY" and "SAMEORIGIN"
x_permitted_cross_domain_policies	Set the value of the X-Permitted-Cross-Domain-Policies. Possible values are "none", "master-only", "by-content-type", "by-ftp-filename", "all", and "none-this-response"
x_xss_protection	Set the value of the X-XSS-Protection. Possible values are TRUE and FALSE

Value

This functions return the api object allowing for easy chaining with the pipe

Using annotation

Security headers doesn't have a dedicated annotation tag, but you can set it up in a ⁠@plumber⁠ block

#* @plumber
function(api) {
  api |>
    api_security_headers()
}

See Also

Other security features: api_security_cors(), api_security_resource_isolation()

Examples

# Add default security headers to an API
api() |>
  api_security_headers()

plumber2 documentation built on Jan. 20, 2026, 5:06 p.m.