Headers
The Headers middleware allows adding and removing headers in the requests and responses.
Advanced Configuration
- Add & remove headers
- Add Security headers
- Add CORS headers
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: test-header
namespace: apps
spec:
headers:
customRequestHeaders:
X-Script-Name: "test"
X-Custom-Request-Header: "" # Removes
customResponseHeaders:
X-Custom-Response-Header: "value"
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: security-header
namespace: apps
spec:
headers:
frameDeny: true # Adds the header X-Frame-Options with the value DENY
browserXssFilter: true # Adds the header X-XSS-Protection with the value `1; mode=block`
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: cors-header
namespace: apps
spec:
headers:
# Set the allowed methods during requests
accessControlAllowMethods:
- "GET"
- "OPTIONS"
- "PUT"
# Set the allowed headers in the requests
accessControlAllowHeaders:
- "*"
# Set the allowed orgin list
accessControlAllowOriginList:
- "https://foo.bar.org"
Configuration Options
The Headers middleware allows managing 3 kinds of headers:
Custom Headers
| Field | Description | Default | Required |
|---|---|---|---|
customRequestHeaders | The customRequestHeaders option lists the header names and values to apply to the request.Custom headers will overwrite existing headers if they have identical names. Empty values remove the listed headers. | false | |
customResponseHeaders | The customResponseHeaders option lists the header names and values to apply to the response.Custom headers will overwrite existing headers if they have identical names. Empty values remove the listed headers. | false |
Security Headers
Security-related headers (HSTS headers, Browser XSS filter, and such) make it possible to use security features by adding headers.
| Field | Description | Default | Required |
|---|---|---|---|
allowedHosts | The allowedHosts option lists fully qualified domain names that are allowed. | [] | false |
browserXssFilter | Set browserXssFilter to true to add the X-XSS-Protection header with the value 1; mode=block. | false | false |
contentSecurityPolicy | The contentSecurityPolicy option allows the Content-Security-Policy header value to be set with a custom value. | "" | false |
contentSecurityPolicyReportOnly | The contentSecurityPolicyReportOnly option allows the Content-Security-Policy-Report-Only header value to be set with a custom value. | "" | false |
contentTypeNosniff | Set contentTypeNosniff to true to add the X-Content-Type-Options header with the value nosniff. | false | false |
customBrowserXSSValue | The customBrowserXssValue option allows the X-XSS-Protection header value to be set with a custom value. This overrides the BrowserXssFilter option. | "" | false |
customFrameOptionsValue | The customFrameOptionsValue allows the X-Frame-Options header value to be set with a custom value. This overrides the FrameDeny option. | "" | false |
featurePolicy | The featurePolicy allows sites to control browser features.Deprecated in favor of permissionsPolicy. | "" | false |
forceSTSHeader | Set forceSTSHeader to true to add the STS header even when the connection is HTTP. | false | false |
frameDeny | Set frameDeny to true to add the X-Frame-Options header with the value of DENY. | false | false |
hostsProxyHeaders | The hostsProxyHeaders option is a set of header keys that may hold a proxied hostname value for the request. | [] | false |
isDevelopment | Set isDevelopment to true when developing to mitigate the unwanted effects of the AllowedHosts, SSL, and STS options. Usually testing takes place using HTTP, not HTTPS, and on localhost, not your production domain.If you would like your development environment to mimic production with complete Host blocking, SSL redirects, and STS headers, leave this as false. | false | false |
permissionsPolicy | The permissionsPolicy allows sites to control browser features. | "" | false |
publicKey | The publicKey implements HPKP to prevent MITM attacks with forged certificates. | "" | false |
referrerPolicy | The referrerPolicy allows sites to control whether browsers forward the Referer header to other sites. | "" | false |
sslForceHost | Set sslForceHost to true and set sslHost to force requests to use SSLHost regardless of whether they already use SSL.Deprecated in favor of the RedirectRegex middleware. | false | false |
sslHost | The sslHost option is the host name that is used to redirect HTTP requests to HTTPS.Deprecated in favor of the RedirectRegex middleware. | "" | false |
sslProxyHeaders | The sslProxyHeaders option is set of header keys with associated values that would indicate a valid HTTPS request. It can be useful when using other proxies (example: "X-Forwarded-Proto": "https"). | false | |
sslRedirect | The sslRedirect only allow HTTPS requests when set to true.Deprecated in favor of EntryPoint redirection or the RedirectScheme middleware. | false | false |
sslTemporaryRedirect | Set sslTemporaryRedirect to true to force an SSL redirection using a 302 (instead of a 301).Deprecated in favor of EntryPoint redirection or the RedirectScheme middleware. | false | false |
stsIncludeSubdomains | If the stsIncludeSubdomains is set to true, the includeSubDomains directive is appended to the Strict-Transport-Security header. | false | false |
stsSeconds | The stsSeconds is the max-age of the Strict-Transport-Security header. If set to 0, the header is not set. | 0 | false |
stsPreload | Set stsPreload to true to have the preload flag appended to the Strict-Transport-Security header. | false | false |
More information about Security Headers
The detailed documentation for security headers can be found in unrolled/secure.
CORS Headers
If CORS headers are set, the middleware does not pass preflight requests to any service. Instead, the response is generated and sent back to the client directly.
| Field | Description | Default | Required |
|---|---|---|---|
accessControlAllowCredentials | The accessControlAllowCredentials indicates whether the request can include user credentials. | false | false |
accessControlAllowHeaders | The accessControlAllowHeaders indicates which header field names can be used as part of the request. | [] | false |
accessControlAllowMethods | The accessControlAllowMethods indicates which methods can be used during requests. | [] | false |
accessControlAllowOriginList | The accessControlAllowOriginList indicates whether a resource can be shared by returning different values.More information here | [] | false |
accessControlAllowOriginListRegex | The accessControlAllowOriginListRegex option is the counterpart of the accessControlAllowOriginList option with regular expressions instead of origin values. It allows all origins that contain any match of a regular expression in the accessControlAllowOriginList.Regular expressions and replacements can be tested using online tools such as Go Playground or the Regex101. When defining a regular expression within YAML, any escaped character needs to be escaped twice: example\.com needs to be written as example\\.com. | [] | false |
accessControlExposeHeaders | The accessControlExposeHeaders indicates which headers are safe to expose to the API of a CORS API specification. | [] | false |
accessControlMaxAge | The accessControlMaxAge indicates how many seconds a preflight request can be cached for. | [] | false |
addVaryHeader | The addVaryHeader is used in conjunction with accessControlAllowOriginList to determine whether the Vary header should be added or modified to demonstrate that server responses can differ based on the value of the origin header. | false | false |
accessControlAllowOriginList
A wildcard origin * can also be configured, and matches all requests.
If this value is set by a backend service, it will be overwritten by Traefik.
This value can contain a list of allowed origins.
More information including how to use the settings can be found at:
Traefik no longer supports the null value, as it is no longer recommended as a return value.