Francis.Plug.CSP (Francis v0.3.1)

View Source

A plug that sets the Content-Security-Policy (CSP) header.

CSP helps prevent Cross-Site Scripting (XSS), clickjacking, and other code injection attacks by specifying which content sources the browser should trust.

Default Policy

The default policy is restrictive and only allows resources from the same origin:

default-src 'self'; script-src 'self';
style-src 'self'; img-src 'self' data:;
font-src 'self'; object-src 'none'; frame-ancestors 'none'

Usage

# Use default policy
plug Francis.Plug.CSP

# Use custom policy directives
plug Francis.Plug.CSP,
  directives: %{
    "default-src" => "'self'",
    "script-src" => "'self' https://cdn.example.com",
    "style-src" => "'self' 'unsafe-inline'",
    "img-src" => "'self' data: https://images.example.com"
  }

Options

  • :directives — a map of CSP directive names to their values. Merged with defaults.
  • :report_only — when true, uses Content-Security-Policy-Report-Only header instead of Content-Security-Policy, allowing you to test policies without enforcing them. Defaults to false.