Skip to main content

Set Response Headers


Set Response Headers specifies a mapping of HTTP Headers to be added globally to all managed routes and Pomerium's Authenticate Service.

How to configure

Config file keysEnvironment variablesTypeDefault
set_response_headersSET_RESPONSE_HEADERSstringsee Default headers



"set_response_headers": {
"X-Test": "X-Value"


X-Test: X-Value

Default headers

X-Content-Type-Options : nosniff,
X-XSS-Protection:1; mode=block,
Strict-Transport-Security:max-age=31536000; includeSubDomains; preload,

By default, conservative secure HTTP headers are set:

  • max-age=31536000 instructs the browser to pin the certificate for a domain for a year. This helps prevent man-in-the-middle attacks, but can create issues when developing new environments with temporary certificates. See Troubleshooting - HSTS for more information.
  • includeSubDomains applies these rules to subdomains, which is how individual routes are defined.
  • preload instructs the browser to preload the certificate from an HSTS preload service if available. This means that the certificate can be loaded from an already-trusted secure connection, and the user never needs to connect to your domain without TLS.

pomerium security headers

See MDN Web Docs - Strict-Transport-Security for more information.


Several security-related headers are not set by default since doing so might break legacy sites. These include: Cross-Origin Resource Policy, Cross-Origin Opener Policy, and Cross-Origin Embedder Policy. If possible, users are encouraged to add these to set_response_headers or their downstream applications.

Disable response headers

To disable set_response_headers:

disable: true