Note that only one of the HSTS rules below can be enabled while the other one must be disabled:
- (default) Add Strict-Transport-Security (HSTS) header
- (default) Add Strict Transport Security (HSTS) header for preload list
For more information about HSTS preload, see https://hstspreload.org/.
Action Name | Description | Default |
|---|---|---|
(default) Response header allow list | All headers not explicitly contained in the allow list of well-known headers are removed. | disabled |
(default) Response header deny list | Removes some unused headers. | enabled |
(default) Prevent information leakage in headers | Some headers leak information about back-end servers and deployed software. By removing these headers, such information is hidden from potential attackers. | enabled |
(default) Remove NTLM header | Back-ends can advise clients to authenticate using NTLM. By default, these headers are removed, because NTLM passthrough is not supported. When using front-side NTLM in combination with an authentication service, this action must be disabled. | enabled |
(default) Remove Negotiate header | Back-end can advise clients to authenticate using a specific method. By default, these headers are removed. This action must be disabled when using front-side Kerberos in combination with an authentication service. | enabled |
(default) Remove permissive CORS header | CORS (Cross-Origin Resource Sharing) is a method for enabling cross-origin requests in browsers. If misconfigured, CORS reduces client-side security. This action removes CORS headers that have no restrictions. | enabled |
(default) Add X-Frame-Options header | If no X-Frame-Options are specified by the back-end, this action advises the browser to display a page only in a frame with the same origin as the page itself. This prevents clickjacking attacks. | enabled |
(default) Add Strict-Transport-Security (HSTS) header | HSTS headers advise browsers to use solely secure HTTPS connections towards the back-end. If no HSTS header is specified by the back-end, this action adds a default HSTS header, requiring HTTPS for all requests. | enabled |
(default) Add Strict Transport Security (HSTS) header for preload list | HSTS headers advise browsers to use solely secure HTTPS connections towards the back-end. Sets the Strict-Transport-Security header correctly in order to comply with the HSTS preload list requirements. After enabling this action your virtual host must be registered at https://hstspreload.org. | disabled |
(default) Add Content-Security-Policy (CSP) header | Content Security Policy (CSP) is a technique for preventing Cross-Site-Scripting and similar attacks by restricting the origin of included resources in a website. Defining fine-grained policies requires good knowledge of the application. If no CSP headers are specified by the back-end, this action adds base protection, allowing the inclusion of Javascript and image resources only from the back-end itself. | disabled |
(default) Add Content-Security-Policy (CSP) header (with prefix "X-") | See action "(default) Add Content Security Policy (CSP) header" (variant with an "X-" prefix). | disabled |
(default) Add XSS-Protection header | If no corresponding header is present, this action enables the XSS protection feature of IE 8 browsers (and newer). | enabled |
(default) Add Content-Type-Options header | If no corresponding header is present, this action disables a browser feature called MIME-type sniffing, which can be harmful. | enabled |
(default) Set cookie security attributes | This action automatically sets the security attributes of cookies based on the current configuration. In particular, the "Secure" attribute is set if HTTPS is enabled on the virtual host and disabled otherwise. The "HttpOnly" attribute is automatically set for encrypted cookies. For passthrough cookies, the "HttpOnly" attribute is not modified. | enabled |
(default) Translate internal cookie path | Action for rewriting the "Path" attribute of cookies. Rewriting the cookie path may be necessary if the application creates absolute or incorrect cookie paths because it is not reverse proxy compatible. | disabled |
(default) Translate internal cookie domain | This action replaces the "Domain" attribute of cookies with the session cookie domain configured on the corresponding virtual host. | enabled |
(default) Add Referrer-Policy header | If no corresponding header is present, this action prevents information leakage from your web application. | enabled |
(default) Add Feature-Policy header | If no corresponding header is present, this action prevents the use of some sensitive browser features outside of your web application. | enabled |