Skip to content

Header

Injects HTTP headers to HTTP response based on site.yml configuration.

Options

option type required description
Content-Security-Policy array Content-Security-Policy documentation
Referrer-Policy string Referrer-Policy documentation
X-Content-Type-Options string X-Content-Type-Options

Default configuration

These HTTP headers are injected to HTTP response when header attribute is not present in site.yml

# site.yml

header:
    'Content-Security-Policy':
        'default-src':
            - "* 'unsafe-inline' 'unsafe-eval'"          # default value for HTTP
            - "https: 'unsafe-inline' 'unsafe-eval'"     # default value for HTTPS
    'Referrer-Policy': strict-origin
    'X-Content-Type-Options': nosniff

Advanced configuration

# site.yml

header:
    'Content-Security-Policy':
        'default-src':
            - "'self'"
        'img-src':
            - "'self'"
            - "https://i.imgur.com"
    'Referrer-Policy': same-origin
    'X-Content-Type-Options': nosniff

Globally disabled configuration

To disable HTTP headers injection to HTTP response globally, set header value to ~ in site.yml

# site.yml

header: ~

Individually disabled configuration

To disable HTTP headers injection to HTTP response individually, set specific attribute value to ~ in site.yml

# site.yml

header:
    'Content-Security-Policy': ~
    'Referrer-Policy': ~
    'X-Content-Type-Options': ~

Provides

N/A