Security & CORS Headers
The Headers middleware allows adding and removing headers to/from the requests and responses.
The security and the CORS headers allows you to bring some security features using headers.
Security Headers
Security-related headers (HSTS headers, Browser XSS filter, and such) make it possible to use security features by adding headers.
In the example below, the Headers middleware allows Traefik Hub API Gateway to automatically add the following security Headers to the response:
- Header
X-Frame-Options
with the valueDENY
- Header
X-XSS-Protection
with the value1; mode=block
- Middleware Headers
- IngressRoute
- Service & Deployment
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: security-header
namespace: apps
spec:
headers:
frameDeny: true # Adds the header X-Frame-Options with the value DENY
browserXssFilter: true # Adds the header X-XSS-Protection with the value `1; mode=block`
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: secure-applications-apigateway-security-headers
namespace: apps
spec:
entryPoints:
- websecure
routes:
- match: Path(`/security`)
kind: Rule
services:
- name: whoami
port: 80
middlewares:
- name: security-header
kind: Deployment
apiVersion: apps/v1
metadata:
name: whoami
namespace: apps
spec:
replicas: 1
selector:
matchLabels:
app: whoami
template:
metadata:
labels:
app: whoami
spec:
containers:
- name: whoami
image: traefik/whoami
---
apiVersion: v1
kind: Service
metadata:
name: whoami
namespace: apps
labels:
app: whoami
spec:
type: ClusterIP
ports:
- port: 80
name: whoami
selector:
app: whoami
The options to set an advanced configuration are described in the reference page.
CORS Headers
If CORS headers are set, the middleware does not pass preflight requests to any service. Instead, the response is generated and sent back to the client directly.
- Middleware Headers
- IngressRoute
- Service & Deployment
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: cors-header
namespace: apps
spec:
headers:
# Set the allowed methods during requests
accessControlAllowMethods:
- "GET"
- "OPTIONS"
- "PUT"
# Set the allowed headers in the requests
accessControlAllowHeaders:
- "*"
# Set the allowed orgin list
accessControlAllowOriginList:
- "https://foo.bar.org"
- "https://example.org"
# Set the number of seconds a preflight request can be cached for
accessControlMaxAge: 100
# Set to true, determines whether the `Vary` header should be added or modified to demonstrate that server responses can differ based on the value of the origin header
addVaryHeader: true
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: secure-applications-apigateway-cors
namespace: apps
spec:
entryPoints:
- websecure
routes:
- match: Path(`/cors`)
kind: Rule
services:
- name: whoami
port: 80
middlewares:
- name: cors-header
kind: Deployment
apiVersion: apps/v1
metadata:
name: whoami
namespace: apps
spec:
replicas: 1
selector:
matchLabels:
app: whoami
template:
metadata:
labels:
app: whoami
spec:
containers:
- name: whoami
image: traefik/whoami
---
apiVersion: v1
kind: Service
metadata:
name: whoami
namespace: apps
labels:
app: whoami
spec:
type: ClusterIP
ports:
- port: 80
name: whoami
selector:
app: whoami
The example above is by no means authoritative or exhaustive. It should not be used as-is for production.
The options to set an advanced configuration are described in the reference page.
Related Content
- See the full options in the dedicated section.
- See how to manage custom headers.