Skip to content


In Pode v2.6.0 support was added for HTTP security headers to be automatically added to requests, such as: Access Control, Cross-Origin, Content Security Policy, and more.

Pode.Web uses this feature to automatically set some default headers on requests, to make your site more secure.


To set which security type to use, you can optionally specify a type via the -Security parameter on Use-PodeWebTemplates. The valid values are: None, Default, Simple, and Strict.

Use-PodeWebTemplates -Title 'Test' -Theme Dark -Security Simple

In the case of the Default, Simple and Strict types: Pode.Web uses the inbuilt security types within Pode (simple for default), and adds some extra essential default Content Security Policy rules to allow Pode.Web to function:

* script-src: self, unsafe-inline
* style-src: self, unsafe-inline
* image-src: self, data

The unsafe-inline values for scripts and styles are required due to Pode.Web templates currently have inline JavaScript and CSS - this could change in the future, and the values removed.


This type is pretty self-explanatory, if specified Pode.Web will call Remove-PodeSecurity to remove all security headers.


This type is the default that Pode.Web uses when no -Security is supplied. Under the hood this type uses the Simple security type within Pode, plus some extras:

  • The default-src, script-src, style-src, and media-src for Content Security Policy are extended with http and https, to allow content to be retrieved externally
  • The Cross-Origin headers are removed
  • The essentials above


This is just the Simple security type within Pode, plus the essentials mentioned above.


This is just the Strict security type within Pode, plus the essentials mentioned above.

Content Not Loading

If you're using the Simple or Strict types, and you find that media isn't loading, then you likely need to add extra Content Security Policy rules. In the Default type, http/https is added to prevent this from occurring, so the same should work also:

Add-PodeSecurityContentSecurityPolicy `
    -Default 'http', 'https' `
    -Style 'http', 'https' `
    -Scripts 'http', 'https' `
    -Image 'http', 'https'

However, if you want to control it more granularly, then you'll need to specify the URLs for media appropriately. For example, if you were loading audio from then you'd need to add:

Add-PodeSecurityContentSecurityPolicy -Media ''

The same also applies to styles and scripts as well.



If you need to enable HSTS for your site, you can do so vua supplying the -UseHSTS switch on Use-PodeWebTemplates.


Using on a Pode.Web site hosted publicly with the -Security set as Default, an A rating is achieved: