Security Headers
The security headers middleware runs at the beginning of every request, and if any security headers are defined they will be added onto the response.
The following headers are currently supported, but you can add custom header values via Add-PodeSecurityHeader for any missing:
- Access-Control-Max-Age
- Access-Control-Allow-Methods
- Access-Control-Allow-Origin
- Access-Control-Allow-Headers
- Cross-Origin-Embedder-Policy
- Cross-Origin-Resource-Policy
- Cross-Origin-Opener-Policy
- Strict-Transport-Security
- Content-Security-Policy
- Content-Security-Policy-Report-Only
- X-XSS-Protection
- Permissions-Policy
- X-Frame-Options
- X-Content-Type-Options
- Referrer-Policy
You can also set the "Server" header to be hidden on responses if required.
Types
Pode has an inbuilt wrapper to easily toggle all headers with default values: Set-PodeSecurity. This function lets you specify a -Type of either Simple or Strict. The specified value will setup the headers with the default values defined below. You can also force X-XSS-Protection to use blocking mode if you want to support older browsers, or enable Strict-Transport-Security via -UseHsts.
For example, to configure Simple security with Strict Transport:
Set-PodeSecurity -Type Simple -UseHsts
To remove all configured values, use Remove-PodeSecurity.
Simple
The following values are used for each header when the Simple type is supplied:
| Name | Value |
|---|---|
| Access-Control-Max-Age | 7200 |
| Access-Control-Allow-Origin | * |
| Access-Control-Allow-Methods | * |
| Access-Control-Allow-Headers | * |
| Cross-Origin-Embedder-Policy | require-corp |
| Cross-Origin-Resource-Policy | same-origin |
| Cross-Origin-Opener-Policy | same-origin |
| Content-Security-Policy | default-src 'self' |
| X-XSS-Protection | 0 |
| Permissions-Policy | accelerometer=(), autoplay=(self), camera=(), display-capture=(self), fullscreen=(self), geolocation=(self), gyroscope=(self), magnetometer=(self), microphone=(), payment=(), picture-in-picture=(self), sync-xhr=(), usb=() |
| X-Frame-Options | SAMEORIGIN |
| X-Content-Type-Options | nosniff |
| Referred-Policy | strict-origin |
The Server header is also hidden.
Strict
The following values are used for each header when the Strict type is supplied:
| Name | Value |
|---|---|
| Access-Control-Max-Age | 7200 |
| Access-Control-Allow-Methods | * |
| Access-Control-Allow-Origin | * |
| Access-Control-Allow-Headers | * |
| Cross-Origin-Embedder-Policy | require-corp |
| Cross-Origin-Resource-Policy | same-origin |
| Cross-Origin-Opener-Policy | same-origin |
| Strict-Transport-Security | max-age=31536000; includeSubDomains |
| Content-Security-Policy | default-src 'self' |
| X-XSS-Protection | 0 |
| Permissions-Policy | accelerometer=(), autoplay=(self), camera=(), display-capture=(self), fullscreen=(self), geolocation=(self), gyroscope=(self), magnetometer=(self), microphone=(), payment=(), picture-in-picture=(self), sync-xhr=(), usb=() |
| X-Frame-Options | DENY |
| X-Content-Type-Options | nosniff |
| Referred-Policy | no-referrer |
The Server header is also hidden.
Headers
You can setup the values of headers individually by using their relevant functions.
You can also use Set-PodeSecurity to configure all the defaults, and then set/add custom values for a single header. For example, you can configure Simple values, and then add *.twitter.com to the default-src of the Content-Security-Policy header using Add-PodeSecurityContentSecurityPolicy:
Set-PodeSecurity -Type Simple
Add-PodeSecurityContentSecurityPolicy -Default '*.twitter.com'
This will make the 'default-src' value: 'self' *.twitter.com.
Conversely, you could remove the header completely using Remove-PodeSecurityContentSecurityPolicy, or override the whole value using Set-PodeSecurityContentSecurityPolicy.
Access Control
The following functions exist:
Specifies the values for the following headers:
- Access-Control-Max-Age
- Access-Control-Allow-Methods
- Access-Control-Allow-Origin
- Access-Control-Allow-Headers
For example:
Set-PodeSecurityAccessControl -Origin '*' -Methods '*' -Headers '*' -Duration 7200
Cross Origin
The following functions exist:
Specifies the values for the following headers:
- Cross-Origin-Embedder-Policy
- Cross-Origin-Resource-Policy
- Cross-Origin-Opener-Policy
For example:
Set-PodeSecurityCrossOrigin -Embed Require-Corp -Open Same-Origin -Resource Same-Origin
Strict Transport
The following functions exist:
The Strict-Transport-Security header enforces the use of HTTPS from the browser. For example:
Set-PodeSecurityStrictTransportSecurity -Duration 31536000 -IncludeSubDomains
Content Security
The following functions exist:
Add-PodeSecurityContentSecurityPolicySet-PodeSecurityContentSecurityPolicyRemove-PodeSecurityContentSecurityPolicy
The Content-Security-Policy header controls a whitelist of approved sources from which the browser can load resources. For example:
Set-PodeSecurityContentSecurityPolicy -Default 'self' -Image 'self', 'data'
By supplying the -ReportOnly switch, the Content-Security-Policy-Report-Only header will be used instead.
Permissions Policy
The following functions exist:
The Permissions-Policy header controls which features/APIs a site can use in the browser. For example:
Set-PodeSecurityPermissionsPolicy -SyncXhr 'none' -Camera 'none' -Geolocation 'self'
Frame Options
The following functions exist:
The X-Frame-Options header tells the browser whether your site support framing or not. For example:
Set-PodeSecurityFrameOptions -Type SameOrigin
ContentType Options
The following functions exist:
The Content-Type-Options header only has one value: nosniff. So you enable, you just need to call the Set function, for example:
Set-PodeSecurityContentTypeOptions
Referrer Policy
The following functions exist:
The Referrer-Policy header tells the browser how much information to include in the Referer header. For example:
Set-PodeSecurityReferrerPolicy -Type Strict-Origin
Server
You can hide or show the Server header on responses using the following functions, by default the Server header is visible:
Custom
There could be some headers for security that Pode doesn't support, but that you need. In this case you can use Add-PodeSecurityHeader to specify a custom header and value that will be added:
Add-PodeSecurityHeader -Name 'X-Security-Header' -Value 'Value'