Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/traefik/traefik/llms.txt

Use this file to discover all available pages before exploring further.

Headers Middleware

Managing Request/Response Headers The Headers middleware manages the headers of requests and responses. A set of forwarded headers are automatically added by default.

Configuration Examples

Adding Headers to Request and Response

labels:
  - "traefik.http.middlewares.testHeader.headers.customrequestheaders.X-Script-Name=test"
  - "traefik.http.middlewares.testHeader.headers.customresponseheaders.X-Custom-Response-Header=value"

Security Headers

labels:
  - "traefik.http.middlewares.testHeader.headers.framedeny=true"
  - "traefik.http.middlewares.testHeader.headers.browserxssfilter=true"
  - "traefik.http.middlewares.testHeader.headers.stsSeconds=31536000"

CORS Headers

labels:
  - "traefik.http.middlewares.testheader.headers.accesscontrolallowmethods=GET,OPTIONS,PUT"
  - "traefik.http.middlewares.testheader.headers.accesscontrolallowheaders=*"
  - "traefik.http.middlewares.testheader.headers.accesscontrolalloworiginlist=https://foo.bar.org,https://example.org"
  - "traefik.http.middlewares.testheader.headers.accesscontrolmaxage=100"
  - "traefik.http.middlewares.testheader.headers.addvaryheader=true"

Configuration Options

Custom headers will overwrite existing headers if they have identical names.

Custom Headers

customRequestHeaders
object
Header names and values to apply to the request.
customResponseHeaders
object
Header names and values to apply to the response.

CORS Headers

accessControlAllowCredentials
boolean
Indicates whether the request can include user credentials.
accessControlAllowHeaders
array
Header field names that can be used as part of the request.
accessControlAllowMethods
array
Methods that can be used during requests.
accessControlAllowOriginList
array
List of allowed origins. A wildcard origin * can also be configured.
accessControlAllowOriginListRegex
array
Regular expressions for allowed origins.
accessControlExposeHeaders
array
Headers that are safe to expose to the API of a CORS API specification.
accessControlMaxAge
integer
How many seconds a preflight request can be cached.
addVaryHeader
boolean
Add or modify the Vary header to demonstrate that server responses can differ based on the origin header.

Security Headers

stsSeconds
integer
default:"0"
Max-age of the Strict-Transport-Security header. If set to 0, the header is not set.
stsIncludeSubdomains
boolean
Add includeSubDomains directive to Strict-Transport-Security header.
stsPreload
boolean
Add preload flag to Strict-Transport-Security header.
forceSTSHeader
boolean
Add STS header even when the connection is HTTP.
frameDeny
boolean
Add X-Frame-Options header with the value of DENY.
customFrameOptionsValue
string
Set custom value for X-Frame-Options header (overrides frameDeny).
contentTypeNosniff
boolean
Add X-Content-Type-Options header with the value nosniff.
browserXssFilter
boolean
Add X-XSS-Protection header with the value 1; mode=block.
contentSecurityPolicy
string
Set Content-Security-Policy header value.
referrerPolicy
string
Control whether browsers forward the Referer header to other sites.
permissionsPolicy
string
Control browser features.