Reference tables of built-in header lists

The following reference shows the built-in header lists used in the CR HeaderRewrites.

Not all lists are activated by default. See CR Header Rewrites reference documentation for the Header Rewrites default configuration.
See article CR HeaderRewrites if a different configuration is required.

Request Headers

The headers in the following list are allowed if it is activated:

`request.allow.builtIn.standardHeaders`
Accept Accept-Charset Accept-Language Access-Control-Request-Headers Access-Control-Request-Method Authorization Cache-Control Content-Type Cookie DNT Host If-Match If-Modified-Since	If-Modified-Since If-None-Match If-Range If-Unmodified-Since Last-Event-ID Origin Pragma Range Referer Sec-Metadata Sec-WebSocket-Extensions Sec-WebSocket-Key Sec-WebSocket-Protocol	Sec-WebSocket-Version SOAPAction UA-CPU Upgrade-Insecure-Requests User-Agent Via X-Correlation-ID X-Do-Not-Track X-Requested-With X-Request-ID X-Same-Domain X-WAP-Profile X-WAP-Profile-Diff

The header in the following list is removed if it is activated:

request.remove.builtIn.alternativeForwardedHeaders
Front-End-Https

Response Headers

The headers in the following list are allowed if it is activated:

`response.allow.builtIn.standardHeaders`
Accept-Ranges Access-Control-Allow-Credentials Access-Control-Allow-Headers Access-Control-Allow-Methods Access-Control-Allow-Origin Access-Control-Expose-Headers Access-Control-Max-Age Allow Cache-Control Content-Disposition Content-Encoding Content-Language Content-Length Content-Location Content-MD5 Content-Range	Content-Security-Policy Content-Type Date Etag Expires Feature-Policy Frame-Options Last-Modified Location Pragma Referrer-Policy Refresh Retry-After Sec-WebSocket-Accept Sec-WebSocket-Extensions Sec-WebSocket-Protocol	Sec-WebSocket-Version Strict-Transport-Security Trailer Transfer-Encoding Vary WWW-Authenticate Warning X-Content-Security-Policy X-Content-Type-Options X-Frame-Options X-Permitted-Cross-Domain-Policies X-UA-Compatible X-WAP-Profile-Warning X-WebKit-CSP

The headers in the following lists are removed if they are activated:

response.remove.builtIn.informationLeakage.server
Age
Link
P3P
Proxy-Authenticate
Server
Via

response.remove.builtIn.informationLeakage.application
X-AspNet-Version
X-AspNetMvc-Version
X-Generator
X-Powered-By

response.remove.builtIn.auth.basic
WWW-Authenticate

Values: ?i:^Basic.*

response.remove.builtIn.auth.ntlm
WWW-Authenticate

Values: ?i:^NTLM.*

response.remove.builtIn.auth.negotiate
WWW-Authenticate

Values: ?i:^Negotiate.*

response.remove.builtIn.auth.permissiveCors
Access-Control-Allow-Origin

Values: ?i:^[[:blank:]]*\\*[[:blank:]]*$

The headers in the following lists are added if they are activated:

A mode parameter can be added to define the behavior in case a header is already existing. The default adding behavior is AddIfAbsent , but it could be set to OverwriteOrAdd.

response.add.builtIn.xFrameOptions
X-Frame-Options

Value: SAMEORIGIN

response.add.builtIn.hsts
Strict-Transport-Security

Value: max-age=16070400

response.add.builtIn.hstsPreload
Strict-Transport-Security

Values: max-age=31536000; includeSubDomains; preload

response.add.builtIn.csp
Content-Security-Policy

Values:
default-src 'self'; img-src *

response.add.builtIn.xContentTypeOptions
X-Content-Type-Options

Value:
nosniff

response.add.builtIn.referrerPolicy
Referrer-Policy

Value:
same-origin

response.add.builtIn.featurePolicy
Feature-Policy

Values:
accelerometer
ambient-light-sensor
autoplay
camera
display-capture
document-domain
encrypted-media
fullscreen
geolocation
gyroscope
magnetometer
microphone
midi
payment
usb
xr-spatial-tracking