Set Response Headers
Environmental Variable:
SET_RESPONSE_HEADERS
Config File Key:
set_response_headers
Type: map of
strings
key value pairsExamples:
Comma Separated:
X-Content-Type-Options:nosniff,X-Frame-Options:SAMEORIGIN
JSON:
'{"X-Test": "X-Value"}'
YAML:
set_response_headers:
X-Test: X-Value
To disable:
disable:true
Default :
X-Content-Type-Options : nosniff,
X-Frame-Options:SAMEORIGIN,
X-XSS-Protection:1; mode=block,
Strict-Transport-Security:max-age=31536000; includeSubDomains; preload,
Set Response Headers specifies a mapping of HTTP Header to be added globally to all managed routes and pomerium's authenticate service.
By default, conservative secure HTTP headers are set:
max-age=31536000
instructs the browser to pin the certificate for a domain for a year. This helps prevent man-in-the-middle attacks, but can create issues when developing new environments with temporary certificates. See Troubleshooting - HSTS for more information.includeSubDomains
applies these rules to subdomains, which is how individual routes are defined.preload
instructs the browser to preload the certificate from an HSTS preload service if available. This means that the certificate can be loaded from an already-trusted secure connection, and the user never needs to connect to your domain without TLS.
See MDN Web Docs - Strict-Transport-Security for more information.
Several security-related headers are not set by default since doing so might break legacy sites. These include: Cross-Origin Resource Policy
, Cross-Origin Opener Policy
and Cross-Origin Embedder Policy
. If possible users are encouraged to add these to set_response_headers
or their downstream applications.