Skip to main content

Set Response Headers

  • Environmental Variable: SET_RESPONSE_HEADERS

  • Config File Key: set_response_headers

  • Kubernetes: set per Ingress

  • Type: map of strings key value pairs

  • Examples:

    • Comma Separated: X-Content-Type-Options:nosniff,X-Frame-Options:SAMEORIGIN

    • JSON: '{"X-Test": "X-Value"}'

    • YAML:

      X-Test: X-Value
  • To disable: disable:true

  • Default :

    X-Content-Type-Options : nosniff,
    X-XSS-Protection:1; mode=block,
    Strict-Transport-Security:max-age=31536000; includeSubDomains; preload,

Set Response Headers specifies a mapping of HTTP Header to be added globally to all managed routes and pomerium's authenticate service.

By default, conservative secure HTTP headers are set:

  • max-age=31536000 instructs the browser to pin the certificate for a domain for a year. This helps prevent man-in-the-middle attacks, but can create issues when developing new environments with temporary certificates. See Troubleshooting - HSTS for more information.
  • includeSubDomains applies these rules to subdomains, which is how individual routes are defined.
  • preload instructs the browser to preload the certificate from an HSTS preload service if available. This means that the certificate can be loaded from an already-trusted secure connection, and the user never needs to connect to your domain without TLS.

pomerium security headers

See MDN Web Docs - Strict-Transport-Security for more information.


Several security-related headers are not set by default since doing so might break legacy sites. These include: Cross-Origin Resource Policy, Cross-Origin Opener Policy and Cross-Origin Embedder Policy. If possible users are encouraged to add these to set_response_headers or their downstream applications.