Note that only one of the HSTS rules below can be enabled while the other one must be disabled:
For more information about HSTS preload, see https://hstspreload.org/.
Some headers leak information about back-end servers and deployed software. By removing these headers, such information is hidden from potential attackers.
This action is enabled by default.
Back-ends can advise clients to authenticate using NTLM. By default, these headers are removed, because NTLM passthrough is not supported. When using front-side NTLM in combination with an authentication service, this action must be disabled.
This action is enabled by default.
Back-end can advise clients to authenticate using a specific method. By default, these headers are removed. This action must be disabled when using front-side Kerberos in combination with an authentication service.
This action is enabled by default.
CORS (Cross-Origin Resource Sharing) is a method for enabling cross-origin requests in browsers. If misconfigured, CORS reduces client-side security. This action removes CORS headers that have no restrictions.
This action is enabled by default.
If no X-Frame-Options are specified by the back-end, this action advises browser to display a page only in a frame with the same origin as the page itself. This prevents clickjacking attacks.
This action is enabled by default.
HSTS headers advise browsers to use solely secure HTTPS connections towards the back-end. If no HSTS header is specified by the back-end, this actions adds a default HSTS header, requiring HTTPS for all requests.
This action is enabled by default.
HSTS headers advise browsers to use solely secure HTTPS connections towards the back-end. Sets the Strict-Transport-Security header correctly in order to comply with the HSTS preload list requirements. After enabling this action your virtual host must be registered at https://hstspreload.org.
This action is disabled by default.
Content Security Policy (CSP) is a technique for preventing Cross-Site-Scripting and similar attacks by restricting the origin of included resources in a website. Defining fine-grained policies requires good knowledge of the application. If no CSP headers are specified by the back-end, this action adds a base protection, allowing inclusion of Javascript and image resources only from the back-end itself.
This action is disabled by default.
See action "(default) Add Content Security Policy (CSP) header" (variant with an "X-" prefix).
This action is disabled by default.
If no corresponding header is present, this actions enables the XSS protection feature of IE 8 browsers (and newer).
This action is enabled by default.
If no corresponding header is present, this action disables a browser feature called MIME-type sniffing, which can be harmful.
This action is enabled by default.
This action automatically sets the security attributes of cookies based on the current configuration. In particular, the "Secure" attribute is set if HTTPS is enabled on the virtual host and disabled otherwise. The "HttpOnly" attribute is automatically set for encrypted cookies. For passthrough cookies, the "HttpOnly" attribute is not modified.
This action is enabled by default.
Action for rewriting the "Path" attribute of cookies. Rewriting the cookie path may be necessary if the application creates absolute or incorrect cookie paths because it is not reverse proxy compatible.
This action is disabled by default.
This action replaces the "Domain" attribute of cookies with the session cookie domain configured on the corresponding virtual host.
This action is enabled by default.
If no corresponding header is present, this action prevents information leakage from your web application.
This action is enabled by default.
If no corresponding header is present, this action prevents the use of some sensitive browser features outside of your web application.
This action is enabled by default.