krancour
commented
7 years ago Those are both response headers. As long as your applications sets them, they will be included in the response from the router.
Closed chexxor closed 7 years ago
krancour
commented
7 years ago Those are both response headers. As long as your applications sets them, they will be included in the response from the router.
chexxor
commented
7 years ago Thanks @krancour! I didn't even think to check header type - I saw it's an nginx setting, so I presumed it's only capable by nginx. :)
Are the following headers outside the domain of deis-router?
For stronger security, the "X-Frame-Options: SAMEORIGIN | DENY | ALLOW-FROM uri;" header can be used to prevent clickjacking.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options?redirectlocale=en-US&redirectslug=The_X-FRAME-OPTIONS_response_header
The "X-Content-Type-Options: nosniff;" header seems to be recommended for security, also:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
I got these ideas by reading this, which seems reliable: https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html