Skip to content

Security Headers

SWS provides several security headers support.

When the HTTP/2 feature is activated security headers are enabled automatically.

This feature is disabled by default on HTTP/1 and can be controlled by the boolean --security-headers option or the equivalent SERVER_SECURITY_HEADERS env.

Customize HTTP headers

If you want to customize HTTP headers on demand then have a look at the Custom HTTP Headers section.

Headers included

The following headers are included by default.

  • Strict-Transport-Security: max-age=63072000; includeSubDomains; preload" (2 years max-age)
  • X-Frame-Options: DENY
  • X-Content-Type-Options: nosniff
  • Content-Security-Policy: frame-ancestors