Security & CORS Headers

The Headers middleware allows adding and removing headers to/from the requests and responses.

The security and the CORS headers allows you to bring some security features using headers.

Security Headers

Security-related headers (HSTS headers, Browser XSS filter, and such) make it possible to use security features by adding headers.

In the example below, the Headers middleware allows Traefik Hub API Gateway to automatically add the following security Headers to the response:

Header X-Frame-Options with the value DENY
Header X-XSS-Protection with the value 1; mode=block

Middleware Headers
IngressRoute
Service & Deployment

---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: security-header
  namespace: apps
spec:
  headers:
    frameDeny: true # Adds the header X-Frame-Options with the value DENY
    browserXssFilter: true # Adds the header X-XSS-Protection with the value `1; mode=block`

apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: secure-applications-apigateway-security-headers
  namespace: apps
spec:
  entryPoints:
    - websecure
  routes:
  - match: Path(`/security`)
    kind: Rule
    services:
    - name: whoami
      port: 80
    middlewares:
    - name: security-header

kind: Deployment
apiVersion: apps/v1
metadata:
  name: whoami
  namespace: apps
spec:
  replicas: 1
  selector:
    matchLabels:
      app: whoami
  template:
    metadata:
      labels:
        app: whoami
    spec:
      containers:
      - name: whoami
        image: traefik/whoami

---
apiVersion: v1
kind: Service
metadata:
  name: whoami
  namespace: apps
  labels:
    app: whoami
spec:
  type: ClusterIP
  ports:
  - port: 80
    name: whoami
  selector:
    app: whoami

Advanced Configuration

The options to set an advanced configuration are described in the reference page.

CORS Headers

If CORS headers are set, the middleware does not pass preflight requests to any service. Instead, the response is generated and sent back to the client directly.

Middleware Headers
IngressRoute
Service & Deployment

---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: cors-header
  namespace: apps
spec:
  headers:
    # Set the allowed methods during requests
    accessControlAllowMethods:
      - "GET"
      - "OPTIONS"
      - "PUT"
    # Set the allowed headers in the requests
    accessControlAllowHeaders:
      - "*"
    # Set the allowed orgin list
    accessControlAllowOriginList:
      - "https://foo.bar.org"
      - "https://example.org"
    # Set the number of seconds a preflight request can be cached for
    accessControlMaxAge: 100
    # Set to true, determines whether the `Vary` header should be added or modified to demonstrate that server responses can differ based on the value of the origin header
    addVaryHeader: true

apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: secure-applications-apigateway-cors
  namespace: apps
spec:
  entryPoints:
    - websecure
  routes:
  - match: Path(`/cors`)
    kind: Rule
    services:
    - name: whoami
      port: 80
    middlewares:
    - name: cors-header

kind: Deployment
apiVersion: apps/v1
metadata:
  name: whoami
  namespace: apps
spec:
  replicas: 1
  selector:
    matchLabels:
      app: whoami
  template:
    metadata:
      labels:
        app: whoami
    spec:
      containers:
      - name: whoami
        image: traefik/whoami

---
apiVersion: v1
kind: Service
metadata:
  name: whoami
  namespace: apps
  labels:
    app: whoami
spec:
  type: ClusterIP
  ports:
  - port: 80
    name: whoami
  selector:
    app: whoami

note

The example above is by no means authoritative or exhaustive. It should not be used as-is for production.

Advanced Configuration

The options to set an advanced configuration are described in the reference page.

See the full options in the dedicated section.
See how to manage custom headers.

Security Headers​

CORS Headers​

Related Content​

Security Headers

CORS Headers

Related Content