Support general configuration to write HTTP response headers from FusionAuth

[robotdan]

Support general configuration to write HTTP response headers from FusionAuth

Description

There are some security related headers that we may want to write, and these types of headers change and may be specific per client.

We could optionally expose a key value pair configuration to allow HTTP headers to be written to the HTTP response by FusionAuth.

This config would exist on the System Configuration and be applied to all HTTP responses regardless of tenant.

Related

• https://securityheaders.com/ is one such website that suggests particular HTTP headers
• https://github.com/FusionAuth/fusionauth-issues/issues/1003
• https://github.com/FusionAuth/fusionauth-issues/issues/2095

Community guidelines

All issues filed in this repository must abide by the FusionAuth community guidelines.

[voidmain]

This would be nice for HSTS as well.

[davekuyper]

+1 for HSTS. A customer of ours had concerns around the lack of HSTS on our hosted login page.

[mooreds]

@davekuyper please don't forget to upvote the issue, as that helps bubble it up for implementation.

[mooreds]

Might be nice to have this configurable on a tenant by tenant basis as well. If you are a true SaaS private labeling FusionAuth, different tenants might have different requirements.