Question 1

How do I set up a custom Content-Security-Policy with VaporSecurityHeaders?

Accepted Answer

Use the ContentSecurityPolicy builder in your configure.swift file to define directives like script-src and style-src, then pass it to SecurityHeadersFactory. The README provides examples for granular control, such as allowing specific sources and enabling report-uri.

Question 2

VaporSecurityHeaders or setting headers manually in Vapor?

Accepted Answer

VaporSecurityHeaders simplifies the process with defaults and reduces errors, but manual setup offers more control if you need exotic headers. For most Vapor projects, this library saves time and ensures best practices, though advanced users might prefer manual methods for niche cases.

Question 3

Can I use VaporSecurityHeaders behind a load balancer?

Accepted Answer

Yes, but ensure the load balancer passes headers correctly. The README notes that reverse proxies like Nginx should forward response headers, but some services may inject or block headers, so verify compatibility with your setup.

Question 4

What's the difference between Content-Security-Policy and Content-Security-Policy-Report-Only in VaporSecurityHeaders?

Accepted Answer

Content-Security-Policy enforces policies and blocks violations, while Report-Only only reports them without blocking, useful for testing. VaporSecurityHeaders supports both via separate configurations, allowing safe experimentation before full deployment.

Question 5

How to handle HSTS preloading with VaporSecurityHeaders?

Accepted Answer

Configure Strict-Transport-Security with preload: true in the factory, but the README cautions to submit your site to hstspreload.org separately. Be aware that preloading commits your site to HTTPS permanently, so ensure SSL is reliably configured.

Question 6

Does VaporSecurityHeaders support the Referrer-Policy header?

Accepted Answer

Yes, it includes ReferrerPolicyConfiguration with options like no-referrer and strict-origin-when-cross-origin, as detailed in the README. You can set fallback policies for enhanced privacy control.

Vapor Security Headers

What is Vapor Security Headers?

Overview

Use Cases

Best For

Related Projects

Found a gem we're missing?

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions