Header
Injects HTTP headers to HTTP response based on site.yml
configuration.
Options
option | type | required | description |
---|---|---|---|
Content-Security-Policy | array | ❌ | Content-Security-Policy documentation |
Referrer-Policy | string | ❌ | Referrer-Policy documentation |
X-Content-Type-Options | string | ❌ | X-Content-Type-Options |
Default configuration
These HTTP headers are injected to HTTP response when header
attribute is not present in site.yml
# site.yml
header:
'Content-Security-Policy':
'default-src':
- "* 'unsafe-inline' 'unsafe-eval'" # default value for HTTP
- "https: 'unsafe-inline' 'unsafe-eval'" # default value for HTTPS
'Referrer-Policy': strict-origin
'X-Content-Type-Options': nosniff
Advanced configuration
# site.yml
header:
'Content-Security-Policy':
'default-src':
- "'self'"
'img-src':
- "'self'"
- "https://i.imgur.com"
'Referrer-Policy': same-origin
'X-Content-Type-Options': nosniff
Globally disabled configuration
To disable HTTP headers injection to HTTP response globally, set header
value to ~
in site.yml
# site.yml
header: ~
Individually disabled configuration
To disable HTTP headers injection to HTTP response individually, set specific attribute value to ~
in site.yml
# site.yml
header:
'Content-Security-Policy': ~
'Referrer-Policy': ~
'X-Content-Type-Options': ~
Provides
N/A