The headers in the following list are allowed if it is activated:
response.allow.builtIn.standardHeaders
|
- Accept-Ranges
- Access-Control-Allow-Credentials
- Access-Control-Allow-Headers
- Access-Control-Allow-Methods
- Access-Control-Allow-Origin
- Access-Control-Expose-Headers
- Access-Control-Max-Age
- Allow
- Cache-Control
- Content-Disposition
- Content-Encoding
- Content-Language
- Content-Length
- Content-Location
- Content-MD5
- Content-Range
| - Content-Security-Policy
- Content-Type
- Date
- Etag
- Expires
- Feature-Policy
- Frame-Options
- Last-Modified
- Location
- Pragma
- Referrer-Policy
- Refresh
- Retry-After
- Sec-WebSocket-Accept
- Sec-WebSocket-Extensions
- Sec-WebSocket-Protocol
| - Sec-WebSocket-Version
- Strict-Transport-Security
- Trailer
- Transfer-Encoding
- Vary
- WWW-Authenticate
- Warning
- X-Content-Security-Policy
- X-Content-Type-Options
- X-Frame-Options
- X-Permitted-Cross-Domain-Policies
- X-UA-Compatible
- X-WAP-Profile-Warning
- X-WebKit-CSP
|
The headers in the following lists are removed if they are activated:
response.remove.builtIn.informationLeakage.server - Age
- Link
- P3P
- Proxy-Authenticate
- Server
- Via
| response.remove.builtIn.informationLeakage.application - X-AspNet-Version
- X-AspNetMvc-Version
- X-Generator
- X-Powered-By
| response.remove.builtIn.auth.basic - WWW-Authenticate
Values: ?i:^Basic.*
|
response.remove.builtIn.auth.ntlm - WWW-Authenticate
Values: ?i:^NTLM.*
| response.remove.builtIn.auth.negotiate - WWW-Authenticate
Values: ?i:^Negotiate.*
| |
The headers in the following lists are added if they are activated:
A mode
parameter can be added to define the behavior in case a header is already existing. The default adding behavior is AddIfAbsent
, but it could be set to OverwriteOrAdd
.
response.add.builtIn.xFrameOptions - X-Frame-Options
Value: SAMEORIGIN
| response.add.builtIn.hsts - Strict-Transport-Security
Value: max-age=16070400
| |
| response.add.builtIn.xContentTypeOptions - X-Content-Type-Options
Value: nosniff
| response.add.builtIn.referrerPolicy - Referrer-Policy
Value: same-origin
|
response.add.builtIn.featurePolicy - Feature-Policy
- Values:
- accelerometer
- ambient-light-sensor
- autoplay
- camera
- display-capture
- document-domain
- encrypted-media
- fullscreen
- geolocation
- gyroscope
- magnetometer
- microphone
- midi
- payment
- usb
- xr-spatial-tracking
| | |