Set Response Headers
Set Response Headers specifies a mapping of HTTP Headers to be added globally to all managed routes and Pomerium's Authenticate Service.
How to configure
X-Content-Type-Options : nosniff,
Strict-Transport-Security:max-age=31536000; includeSubDomains; preload,
By default, conservative secure HTTP headers are set:
max-age=31536000instructs the browser to pin the certificate for a domain for a year. This helps prevent man-in-the-middle attacks, but can create issues when developing new environments with temporary certificates. See Troubleshooting - HSTS for more information.
includeSubDomainsapplies these rules to subdomains, which is how individual routes are defined.
preloadinstructs the browser to preload the certificate from an HSTS preload service if available. This means that the certificate can be loaded from an already-trusted secure connection, and the user never needs to connect to your domain without TLS.
See MDN Web Docs - Strict-Transport-Security for more information.
Several security-related headers are not set by default since doing so might break legacy sites. These include:
Cross-Origin Resource Policy,
Cross-Origin Opener Policy, and
Cross-Origin Embedder Policy. If possible, users are encouraged to add these to
set_response_headers or their downstream applications.
Disable response headers
Comma separated values (CSV):