2022-04-15 13:44:08 +00:00
---
title: "Traefik Headers Documentation"
description: "In Traefik Proxy, the HTTP headers middleware manages the headers of requests and responses. Read the technical documentation."
---
2021-02-11 13:34:04 +00:00
# Headers
2019-02-26 13:50:07 +00:00
2021-02-11 13:34:04 +00:00
Managing Request/Response headers
2019-02-26 13:50:07 +00:00
{: .subtitle }
2021-06-11 13:30:05 +00:00
![Headers ](../../assets/img/middleware/headers.png )
2019-02-26 13:50:07 +00:00
2021-02-11 13:34:04 +00:00
The Headers middleware manages the headers of requests and responses.
2019-02-26 13:50:07 +00:00
2021-09-16 09:18:12 +00:00
A set of forwarded headers are automatically added by default. See the [FAQ ](../../getting-started/faq.md#what-are-the-forwarded-headers-when-proxying-http-requests ) for more information.
2019-02-26 13:50:07 +00:00
## Configuration Examples
### Adding Headers to the Request and the Response
2021-02-11 13:34:04 +00:00
The following example adds the `X-Script-Name` header to the proxied request and the `X-Custom-Response-Header` header to the response
2019-02-26 13:50:07 +00:00
2019-03-29 11:34:05 +00:00
```yaml tab="Docker"
labels:
2019-09-23 15:00:06 +00:00
- "traefik.http.middlewares.testHeader.headers.customrequestheaders.X-Script-Name=test"
- "traefik.http.middlewares.testHeader.headers.customresponseheaders.X-Custom-Response-Header=value"
2019-04-02 08:40:04 +00:00
```
```yaml tab="Kubernetes"
2023-03-20 14:38:08 +00:00
apiVersion: traefik.io/v1alpha1
2019-04-02 08:40:04 +00:00
kind: Middleware
metadata:
2021-06-24 09:28:05 +00:00
name: test-header
2019-04-02 08:40:04 +00:00
spec:
headers:
2019-06-17 16:30:05 +00:00
customRequestHeaders:
2019-04-02 08:40:04 +00:00
X-Script-Name: "test"
2019-06-17 16:30:05 +00:00
customResponseHeaders:
2019-07-22 07:58:04 +00:00
X-Custom-Response-Header: "value"
2019-03-29 11:34:05 +00:00
```
2019-10-15 15:34:08 +00:00
```yaml tab="Consul Catalog"
- "traefik.http.middlewares.testheader.headers.customrequestheaders.X-Script-Name=test"
- "traefik.http.middlewares.testheader.headers.customresponseheaders.X-Custom-Response-Header=value"
```
2019-07-22 07:58:04 +00:00
```yaml tab="File (YAML)"
http:
middlewares:
testHeader:
headers:
customRequestHeaders:
X-Script-Name: "test"
customResponseHeaders:
X-Custom-Response-Header: "value"
2019-03-29 11:34:05 +00:00
```
2019-02-26 13:50:07 +00:00
2021-06-18 22:08:08 +00:00
```toml tab="File (TOML)"
[http.middlewares]
[http.middlewares.testHeader.headers]
[http.middlewares.testHeader.headers.customRequestHeaders]
X-Script-Name = "test"
[http.middlewares.testHeader.headers.customResponseHeaders]
X-Custom-Response-Header = "value"
```
2019-02-26 13:50:07 +00:00
### Adding and Removing Headers
2021-02-11 13:34:04 +00:00
In the following example, requests are proxied with an extra `X-Script-Name` header while their `X-Custom-Request-Header` header gets stripped,
and responses are stripped of their `X-Custom-Response-Header` header.
2019-02-26 13:50:07 +00:00
2019-09-03 16:02:05 +00:00
```yaml tab="Docker"
labels:
- "traefik.http.middlewares.testheader.headers.customrequestheaders.X-Script-Name=test"
2021-05-17 16:07:25 +00:00
- "traefik.http.middlewares.testheader.headers.customrequestheaders.X-Custom-Request-Header="
- "traefik.http.middlewares.testheader.headers.customresponseheaders.X-Custom-Response-Header="
2019-09-03 16:02:05 +00:00
```
2019-02-26 13:50:07 +00:00
2019-04-02 08:40:04 +00:00
```yaml tab="Kubernetes"
2023-03-20 14:38:08 +00:00
apiVersion: traefik.io/v1alpha1
2019-04-02 08:40:04 +00:00
kind: Middleware
metadata:
2021-06-24 09:28:05 +00:00
name: test-header
2019-04-02 08:40:04 +00:00
spec:
headers:
2019-06-17 16:30:05 +00:00
customRequestHeaders:
2019-04-05 13:18:04 +00:00
X-Script-Name: "test" # Adds
X-Custom-Request-Header: "" # Removes
2019-06-17 16:30:05 +00:00
customResponseHeaders:
2019-04-05 13:18:04 +00:00
X-Custom-Response-Header: "" # Removes
2019-04-02 08:40:04 +00:00
```
2019-02-26 13:50:07 +00:00
2019-10-15 15:34:08 +00:00
```yaml tab="Consul Catalog"
- "traefik.http.middlewares.testheader.headers.customrequestheaders.X-Script-Name=test"
2021-05-17 16:07:25 +00:00
- "traefik.http.middlewares.testheader.headers.customrequestheaders.X-Custom-Request-Header="
- "traefik.http.middlewares.testheader.headers.customresponseheaders.X-Custom-Response-Header="
2019-10-15 15:34:08 +00:00
```
2019-07-22 07:58:04 +00:00
```yaml tab="File (YAML)"
http:
middlewares:
testHeader:
headers:
customRequestHeaders:
X-Script-Name: "test" # Adds
X-Custom-Request-Header: "" # Removes
customResponseHeaders:
X-Custom-Response-Header: "" # Removes
```
2021-06-18 22:08:08 +00:00
```toml tab="File (TOML)"
[http.middlewares]
[http.middlewares.testHeader.headers]
[http.middlewares.testHeader.headers.customRequestHeaders]
X-Script-Name = "test" # Adds
X-Custom-Request-Header = "" # Removes
[http.middlewares.testHeader.headers.customResponseHeaders]
X-Custom-Response-Header = "" # Removes
```
2019-02-26 13:50:07 +00:00
### Using Security Headers
2021-05-28 06:50:09 +00:00
Security-related headers (HSTS headers, Browser XSS filter, etc) can be managed similarly to custom headers as shown above.
2021-02-11 13:34:04 +00:00
This functionality makes it possible to easily use security features by adding headers.
2019-02-26 13:50:07 +00:00
2019-04-02 08:40:04 +00:00
```yaml tab="Docker"
labels:
2019-07-01 09:30:05 +00:00
- "traefik.http.middlewares.testHeader.headers.framedeny=true"
2021-05-28 06:50:09 +00:00
- "traefik.http.middlewares.testHeader.headers.browserxssfilter=true"
2019-04-02 08:40:04 +00:00
```
```yaml tab="Kubernetes"
2023-03-20 14:38:08 +00:00
apiVersion: traefik.io/v1alpha1
2019-04-02 08:40:04 +00:00
kind: Middleware
metadata:
2021-06-24 09:28:05 +00:00
name: test-header
2019-04-02 08:40:04 +00:00
spec:
headers:
2020-06-17 08:22:03 +00:00
frameDeny: true
2022-05-23 08:50:08 +00:00
browserXssFilter: true
2019-04-02 08:40:04 +00:00
```
2019-10-15 15:34:08 +00:00
```yaml tab="Consul Catalog"
- "traefik.http.middlewares.testheader.headers.framedeny=true"
2021-05-28 06:50:09 +00:00
- "traefik.http.middlewares.testheader.headers.browserxssfilter=true"
2019-10-15 15:34:08 +00:00
```
2021-02-11 13:34:04 +00:00
```yaml tab="File (YAML)"
2019-07-22 07:58:04 +00:00
http:
middlewares:
testHeader:
headers:
2019-10-23 09:48:05 +00:00
frameDeny: true
2022-05-23 08:50:08 +00:00
browserXssFilter: true
2019-07-22 07:58:04 +00:00
```
2021-06-18 22:08:08 +00:00
```toml tab="File (TOML)"
[http.middlewares]
[http.middlewares.testHeader.headers]
frameDeny = true
2022-05-23 08:50:08 +00:00
browserXssFilter = true
2021-06-18 22:08:08 +00:00
```
2019-04-02 08:40:04 +00:00
### CORS Headers
2019-09-03 16:02:05 +00:00
CORS (Cross-Origin Resource Sharing) headers can be added and configured in a manner similar to the custom headers above.
2019-04-02 08:40:04 +00:00
This functionality allows for more advanced security features to quickly be set.
2022-04-11 15:22:09 +00:00
If CORS headers are set, then the middleware does not pass preflight requests to any service,
instead the response will be generated and sent back to the client directly.
2019-04-02 08:40:04 +00:00
```yaml tab="Docker"
labels:
2019-07-01 09:30:05 +00:00
- "traefik.http.middlewares.testheader.headers.accesscontrolallowmethods=GET,OPTIONS,PUT"
2020-03-05 07:18:04 +00:00
- "traefik.http.middlewares.testheader.headers.accesscontrolalloworiginlist=https://foo.bar.org,https://example.org"
2019-07-01 09:30:05 +00:00
- "traefik.http.middlewares.testheader.headers.accesscontrolmaxage=100"
- "traefik.http.middlewares.testheader.headers.addvaryheader=true"
2019-04-02 08:40:04 +00:00
```
```yaml tab="Kubernetes"
2023-03-20 14:38:08 +00:00
apiVersion: traefik.io/v1alpha1
2019-04-02 08:40:04 +00:00
kind: Middleware
metadata:
2021-06-24 09:28:05 +00:00
name: test-header
2019-04-02 08:40:04 +00:00
spec:
headers:
2019-07-01 09:30:05 +00:00
accessControlAllowMethods:
2019-04-02 08:40:04 +00:00
- "GET"
- "OPTIONS"
- "PUT"
2020-03-05 07:18:04 +00:00
accessControlAllowOriginList:
- "https://foo.bar.org"
- "https://example.org"
2019-07-01 09:30:05 +00:00
accessControlMaxAge: 100
2020-06-17 08:22:03 +00:00
addVaryHeader: true
2019-04-02 08:40:04 +00:00
```
2019-10-15 15:34:08 +00:00
```yaml tab="Consul Catalog"
- "traefik.http.middlewares.testheader.headers.accesscontrolallowmethods=GET,OPTIONS,PUT"
2020-03-05 07:18:04 +00:00
- "traefik.http.middlewares.testheader.headers.accesscontrolalloworiginlist=https://foo.bar.org,https://example.org"
2019-10-15 15:34:08 +00:00
- "traefik.http.middlewares.testheader.headers.accesscontrolmaxage=100"
- "traefik.http.middlewares.testheader.headers.addvaryheader=true"
```
2019-07-22 07:58:04 +00:00
```yaml tab="File (YAML)"
http:
middlewares:
testHeader:
headers:
2019-10-02 14:32:05 +00:00
accessControlAllowMethods:
2019-09-23 15:00:06 +00:00
- GET
- OPTIONS
- PUT
2020-03-05 07:18:04 +00:00
accessControlAllowOriginList:
- https://foo.bar.org
- https://example.org
2019-07-22 07:58:04 +00:00
accessControlMaxAge: 100
addVaryHeader: true
```
2021-06-18 22:08:08 +00:00
```toml tab="File (TOML)"
[http.middlewares]
[http.middlewares.testHeader.headers]
accessControlAllowMethods= ["GET", "OPTIONS", "PUT"]
accessControlAllowOriginList = ["https://foo.bar.org","https://example.org"]
accessControlMaxAge = 100
addVaryHeader = true
```
2019-02-26 13:50:07 +00:00
## Configuration Options
### General
!!! warning
2021-02-11 13:34:04 +00:00
Custom headers will overwrite existing headers if they have identical names.
2019-02-26 13:50:07 +00:00
2019-09-23 12:32:04 +00:00
!!! note ""
2021-02-11 13:34:04 +00:00
The detailed documentation for security headers can be found in [unrolled/secure ](https://github.com/unrolled/secure#available-options ).
2019-02-26 13:50:07 +00:00
2019-04-03 12:32:04 +00:00
### `customRequestHeaders`
2019-02-26 13:50:07 +00:00
2021-02-11 13:34:04 +00:00
The `customRequestHeaders` option lists the header names and values to apply to the request.
2019-02-26 13:50:07 +00:00
2019-04-03 12:32:04 +00:00
### `customResponseHeaders`
2019-04-02 08:40:04 +00:00
2021-02-11 13:34:04 +00:00
The `customResponseHeaders` option lists the header names and values to apply to the response.
2019-04-02 08:40:04 +00:00
2019-04-03 12:32:04 +00:00
### `accessControlAllowCredentials`
2019-04-02 08:40:04 +00:00
The `accessControlAllowCredentials` indicates whether the request can include user credentials.
2019-04-03 12:32:04 +00:00
### `accessControlAllowHeaders`
2019-04-02 08:40:04 +00:00
The `accessControlAllowHeaders` indicates which header field names can be used as part of the request.
2019-04-03 12:32:04 +00:00
### `accessControlAllowMethods`
2019-04-02 08:40:04 +00:00
The `accessControlAllowMethods` indicates which methods can be used during requests.
2020-03-05 07:18:04 +00:00
### `accessControlAllowOriginList`
2019-04-02 08:40:04 +00:00
2020-03-05 07:18:04 +00:00
The `accessControlAllowOriginList` indicates whether a resource can be shared by returning different values.
2019-04-02 08:40:04 +00:00
2021-02-11 13:34:04 +00:00
A wildcard origin `*` can also be configured, and matches all requests.
If this value is set by a backend service, it will be overwritten by Traefik.
2020-03-05 07:18:04 +00:00
2020-10-29 09:52:03 +00:00
This value can contain a list of allowed origins.
2020-03-05 07:18:04 +00:00
2021-02-11 13:34:04 +00:00
More information including how to use the settings can be found at:
2020-03-05 07:18:04 +00:00
- [Mozilla.org ](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin )
2020-06-03 14:22:04 +00:00
- [w3 ](https://fetch.spec.whatwg.org/#http-access-control-allow-origin )
2020-03-05 07:18:04 +00:00
- [IETF ](https://tools.ietf.org/html/rfc6454#section-7.1 )
2021-02-11 13:34:04 +00:00
Traefik no longer supports the `null` value, as it is [no longer recommended as a return value ](https://w3c.github.io/webappsec-cors-for-developers/#avoid-returning-access-control-allow-origin-null ).
2019-04-02 08:40:04 +00:00
2020-10-29 09:52:03 +00:00
### `accessControlAllowOriginListRegex`
The `accessControlAllowOriginListRegex` option is the counterpart of the `accessControlAllowOriginList` option with regular expressions instead of origin values.
2021-02-11 13:34:04 +00:00
It allows all origins that contain any match of a regular expression in the `accessControlAllowOriginList` .
2020-10-29 09:52:03 +00:00
!!! tip
2021-02-11 13:34:04 +00:00
2021-10-06 09:36:11 +00:00
Regular expressions and replacements can be tested using online tools such as [Go Playground ](https://play.golang.org/p/mWU9p-wk2ru ) or the [Regex101 ](https://regex101.com/r/58sIgx/2 ).
When defining a regular expression within YAML, any escaped character needs to be escaped twice: `example\.com` needs to be written as `example\\.com` .
2020-10-29 09:52:03 +00:00
2019-04-03 12:32:04 +00:00
### `accessControlExposeHeaders`
2019-04-02 08:40:04 +00:00
The `accessControlExposeHeaders` indicates which headers are safe to expose to the api of a CORS API specification.
2019-04-03 12:32:04 +00:00
### `accessControlMaxAge`
2019-04-02 08:40:04 +00:00
2021-02-11 13:34:04 +00:00
The `accessControlMaxAge` indicates how many seconds a preflight request can be cached for.
2019-04-02 08:40:04 +00:00
2019-04-03 12:32:04 +00:00
### `addVaryHeader`
2019-04-02 08:40:04 +00:00
2021-02-11 13:34:04 +00:00
The `addVaryHeader` is used in conjunction with `accessControlAllowOriginList` to determine whether the `Vary` header should be added or modified to demonstrate that server responses can differ based on the value of the origin header.
2019-04-02 08:40:04 +00:00
2021-02-11 13:34:04 +00:00
### `allowedHosts`
2019-02-26 13:50:07 +00:00
The `allowedHosts` option lists fully qualified domain names that are allowed.
2021-02-11 13:34:04 +00:00
### `hostsProxyHeaders`
2019-02-26 13:50:07 +00:00
The `hostsProxyHeaders` option is a set of header keys that may hold a proxied hostname value for the request.
2021-02-11 13:34:04 +00:00
### `sslProxyHeaders`
2019-02-26 13:50:07 +00:00
2021-02-11 13:34:04 +00:00
The `sslProxyHeaders` option is set of header keys with associated values that would indicate a valid HTTPS request.
It can be useful when using other proxies (example: `"X-Forwarded-Proto": "https"` ).
2019-02-26 13:50:07 +00:00
2021-02-11 13:34:04 +00:00
### `stsSeconds`
2019-02-26 13:50:07 +00:00
2021-02-11 13:34:04 +00:00
The `stsSeconds` is the max-age of the `Strict-Transport-Security` header.
If set to `0` , the header is not set.
2019-02-26 13:50:07 +00:00
2021-02-11 13:34:04 +00:00
### `stsIncludeSubdomains`
2019-02-26 13:50:07 +00:00
2021-02-11 13:34:04 +00:00
If the `stsIncludeSubdomains` is set to `true` , the `includeSubDomains` directive is appended to the `Strict-Transport-Security` header.
2019-02-26 13:50:07 +00:00
2021-02-11 13:34:04 +00:00
### `stsPreload`
Set `stsPreload` to `true` to have the `preload` flag appended to the `Strict-Transport-Security` header.
2019-02-26 13:50:07 +00:00
2019-04-03 12:32:04 +00:00
### `forceSTSHeader`
2019-02-26 13:50:07 +00:00
2021-02-11 13:34:04 +00:00
Set `forceSTSHeader` to `true` to add the STS header even when the connection is HTTP.
### `frameDeny`
2019-02-26 13:50:07 +00:00
2021-02-11 13:34:04 +00:00
Set `frameDeny` to `true` to add the `X-Frame-Options` header with the value of `DENY` .
2019-02-26 13:50:07 +00:00
2021-02-11 13:34:04 +00:00
### `customFrameOptionsValue`
2019-02-26 13:50:07 +00:00
2019-07-01 09:30:05 +00:00
The `customFrameOptionsValue` allows the `X-Frame-Options` header value to be set with a custom value.
2021-02-11 13:34:04 +00:00
This overrides the `FrameDeny` option.
2019-02-26 13:50:07 +00:00
2019-04-03 12:32:04 +00:00
### `contentTypeNosniff`
2019-02-26 13:50:07 +00:00
Set `contentTypeNosniff` to true to add the `X-Content-Type-Options` header with the value `nosniff` .
2019-04-03 12:32:04 +00:00
### `browserXssFilter`
2019-02-26 13:50:07 +00:00
2019-07-01 09:30:05 +00:00
Set `browserXssFilter` to true to add the `X-XSS-Protection` header with the value `1; mode=block` .
2019-02-26 13:50:07 +00:00
2019-04-03 12:32:04 +00:00
### `customBrowserXSSValue`
2019-02-26 13:50:07 +00:00
2019-07-01 09:30:05 +00:00
The `customBrowserXssValue` option allows the `X-XSS-Protection` header value to be set with a custom value.
2021-02-11 13:34:04 +00:00
This overrides the `BrowserXssFilter` option.
2019-02-26 13:50:07 +00:00
2019-04-03 12:32:04 +00:00
### `contentSecurityPolicy`
2019-02-26 13:50:07 +00:00
The `contentSecurityPolicy` option allows the `Content-Security-Policy` header value to be set with a custom value.
2019-04-03 12:32:04 +00:00
### `publicKey`
2019-02-26 13:50:07 +00:00
2021-02-11 13:34:04 +00:00
The `publicKey` implements HPKP to prevent MITM attacks with forged certificates.
2019-02-26 13:50:07 +00:00
2019-04-03 12:32:04 +00:00
### `referrerPolicy`
2019-02-26 13:50:07 +00:00
2021-02-11 13:34:04 +00:00
The `referrerPolicy` allows sites to control whether browsers forward the `Referer` header to other sites.
2019-02-26 13:50:07 +00:00
2021-06-21 13:16:13 +00:00
### `permissionsPolicy`
The `permissionsPolicy` allows sites to control browser features.
2019-04-03 12:32:04 +00:00
### `isDevelopment`
2019-02-26 13:50:07 +00:00
2021-02-11 13:34:04 +00:00
Set `isDevelopment` to `true` when developing to mitigate the unwanted effects of the `AllowedHosts` , SSL, and STS options.
Usually testing takes place using HTTP, not HTTPS, and on `localhost` , not your production domain.
If you would like your development environment to mimic production with complete Host blocking, SSL redirects, and STS headers, leave this as `false` .
2022-09-09 15:17:53 +00:00
{!traefik-for-business-applications.md!}