-
Notifications
You must be signed in to change notification settings - Fork 315
/
Copy pathapp.play.conf
150 lines (118 loc) · 4.55 KB
/
app.play.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
# PLAY CONFIGURATION:
# Logging:
# - Using conf/logback.xml MORE: http://logback.qos.ch/
# Evolutions
# ~~~~~
# You can disable evolutions if needed
# evolutionplugin=disabled
# Ebean configuration
# ~~~~~
# You can declare as many Ebean servers as you want.
# By convention, the default server is named `default`
# ebean.default="models.*"
# Try to use only IPv4
java.net.preferIPv4Stack=true
# Allow the session cookie to be accessed from JavaScript libraries
play.http.session.httpOnly=false
# play.filters.https.port = 9443 TODO: custom port
# maybe use: play.filters.https.port=${server.port}
#play.filters.https.redirectEnabled = true # CLR:PM ?
play.modules {
enabled += "play.filters.csrf.CSRFModule"
enabled += "play.filters.cors.CORSModule"
enabled += "play.filters.headers.SecurityHeadersModule"
enabled += "play.filters.gzip.GzipFilterModule"
}
play.filters {
csrf {
# Token configuration
token {
# The token name
name = "csrfToken"
# Whether tokens should be signed or not
sign = true
}
# Cookie configuration
cookie {
# If non null, the CSRF token will be placed in a cookie with this name
name = null
# Whether the cookie should be set to secure
secure = ${play.http.session.secure}
# Whether the cookie should have the HTTP only flag set
httpOnly = false
}
# How much of the body should be buffered when looking for the token in the request body
body.bufferSize = ${play.http.parser.maxMemoryBuffer}
# Header configuration
header {
# The name of the header to accept CSRF tokens from.
name = "Csrf-Token"
# Whether simple tokens in the header should allow CSRF checks to be bypassed.
bypass = true
}
# Method lists
method {
# If non empty, then requests will be checked if the method is not in this list.
whiteList = []
# The black list is only used if the white list is empty.
# Only check methods in this list.
blackList = ["POST"]
}
# Content type lists
contentType {
# If non empty, then requests will be checked if the content type is not in this list.
whiteList = []
# The black list is only used if the white list is empty.
# Only check content types in this list.
blackList = ["application/x-www-form-urlencoded", "multipart/form-data", "text/plain"]
}
# The error handler.
# Used by Play's built in DI support to locate and bind a request handler. Must be one of the following:
# - A FQCN that implements play.filters.csrf.CSRF.ErrorHandler (Scala).
# - A FQCN that implements play.filters.csrf.CSRFErrorHandler (Java).
# - provided, indicates that the application has bound an instance of play.filters.csrf.CSRF.ErrorHandler through some
# other mechanism.
# If null, will attempt to load a class called CSRFErrorHandler in the root package, otherwise if that's
# not found, will default to play.filters.csrf.CSRF.CSRFHttpErrorHandler, which delegates to the configured
# HttpRequestHandler.
errorHandler = null
}
# Security headers filter configuration
headers {
# The X-Frame-Options header. If null, the header is not set.
frameOptions = "DENY"
# The X-XSS-Protection header. If null, the header is not set.
xssProtection = "1; mode=block"
# The X-Content-Type-Options header. If null, the header is not set.
contentTypeOptions = "nosniff"
# The X-Permitted-Cross-Domain-Policies header. If null, the header is not set.
permittedCrossDomainPolicies = "master-only"
# The Content-Security-Policy header. If null, the header is not set.
contentSecurityPolicy = "default-src 'self'"
}
# CORS filter configuration
cors {
# The path prefixes to filter.
pathPrefixes = ["/"]
# The allowed origins. If null, all origins are allowed.
allowedOrigins = null
# The allowed HTTP methods. If null, all methods are allowed
allowedHttpMethods = null
# The allowed HTTP headers. If null, all headers are allowed.
allowedHttpHeaders = null
# The exposed headers
exposedHeaders = []
# Whether to support credentials
supportsCredentials = true
# The maximum amount of time the CORS meta data should be cached by the client
preflightMaxAge = 1 hour
}
# GZip filter configuration
gzip {
# The buffer size to use for gzipped bytes
bufferSize = 8k
# The maximum amount of content to buffer for gzipping in order to calculate the content length before falling back
# to chunked encoding.
chunkedThreshold = 100k
}
}