http-headers plugin allows you to append additional HTTP headers to the response. If the
security option is set to
true, then a suite of industry standard security related headers will be included in the response. It’s a really simple way to increase the security of your website.
plugins: - name: http-headers options: "X-Custom-Header": foo security: true
security option is a shortcut syntax for including many of the security related headers recommended by the Open Web Application Security Project (OWASP). Setting it to
true is equivalent to the following:
plugins: - name: http-headers options: # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options "X-Content-Type-Options": nosniff # https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP "Content-Security-Policy": "default-src 'self'" # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options "X-Frame-Options": SAMEORIGIN # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection "X-XSS-Protection": "1;mode=block" # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security "Strict-Transport-Security": "max-age=31536000; includeSubDomains"
If you want to override any of these values you can include an explicit value. Similarly if you want to eliminate one of the headers, just set it to an empty value.
plugins: - name: http-headers options: security: true "X-Frame-Options": DENY "X-Content-Type-Options":
Will result in these headers being sent in the response:
Content-Security-Policy: "default-src 'self'" X-Frame-Options: "DENY" X-XSS-Protection: "1;mode=block" Strict-Transport-Security: "max-age=31536000; includeSubDomains"
TIP: It’s a good idea to test the security headers in a non-production deploy stage before you roll it out in production.