Headers
General
Headers play a major role in security, helping to reduce the attack surface of various types on a web application.
These headers are used in most modern web applications as they provide a basic level of protection against the most common vulnerabilities.
Passwork Docker Build
Common security headers are included via the include directive in the main Nginx configuration file and are defined in the extra/security-headers.conf file. The Strict-Transport-Security header is set directly in the main configuration file and thus applies to the entire site.
| Header | Value |
|---|---|
| X-Frame-Options | "DENY" |
| X-Content-Type-Options | "nosniff" |
| X-XSS-Protection | "1; mode=block" |
| Referrer-Policy | "strict-origin-when-cross-origin" |
| Permissions-Policy | "camera=(), microphone=(), geolocation=()" |
| Strict-Transport-Security | "max-age=31536000; includeSubDomains" |
Apache2\HTTPD
Common headers are contained in public/.htaccess. They are applied automatically provided that .htaccess file processing has not been disabled in the Apache configuration. The Strict-Transport-Security header is specified in the configuration examples in the installation instructions.
| Header | Value |
|---|---|
| X-Frame-Options | "DENY" |
| X-Content-Type-Options | "nosniff" |
| X-XSS-Protection | "1; mode=block" |
| Referrer-Policy | "strict-origin-when-cross-origin" |
| Permissions-Policy | "camera=(), microphone=(), geolocation=()" |
| Strict-Transport-Security | "max-age=31536000; includeSubDomains" |
X-Frame-Options — Defines whether the page can be loaded in a frame, iframe, or object.
X-Content-Type-Options — Prevents browsers from attempting to guess the content type.
X-XSS-Protection — Enables (or disables) built-in XSS protection in older browser versions. Deprecated but may be used for compatibility.
Referrer-Policy — Defines what information the browser sends in the Referer header.
Permissions-Policy — Allows restricting the use of various features, for example: access to camera, microphone, geolocation, and other APIs.
Strict-Transport-Security — Informs the browser that the site must be loaded only via HTTPS, preventing downgrade and MITM attacks.
Cross-Origin Resource Sharing
CORS headers regulate access to site resources from other domains.
In most cases, changing or adding CORS headers is not required. They are needed only when the frontend and backend are hosted on different origins — that is, differ by domain, port, or protocol.
Passwork Docker Build
CORS headers are included via the include directive in the main Nginx configuration file and are defined in the extra/cors.conf file.
| Header | Value |
|---|---|
| Access-Control-Allow-Origin | "*" |
| Access-Control-Allow-Methods | "GET,HEAD,OPTIONS,POST,PUT,PATCH,DELETE" |
| Access-Control-Allow-Headers | "Authorization, Access-Control-Allow-Origin, Access-Control-Allow-Headers,Origin, Accept, X-Requested-With, Content-Type, Access-Control-Request-Method, Access-Control-Request-Headers, X-Browser-Mode, X-Master-Key-Hash, X-CSRF-Token" |
| Access-Control-Max-Age | "1728000" |
| Vary | "Origin" |
Apache2\HTTPD
CORS headers are not set by default. If necessary, they can be explicitly set in the Apache2 virtual host configuration, inside a <Directory> block or globally for the entire virtual host.
| Header | Value |
|---|---|
| Access-Control-Allow-Origin | "*" |
| Access-Control-Allow-Methods | "GET,HEAD,OPTIONS,POST,PUT,PATCH,DELETE" |
| Access-Control-Allow-Headers | "Authorization, Access-Control-Allow-Origin, Access-Control-Allow-Headers,Origin, Accept, X-Requested-With, Content-Type, Access-Control-Request-Method, Access-Control-Request-Headers, X-Browser-Mode, X-Master-Key-Hash, X-CSRF-Token" |
| Access-Control-Max-Age | "1728000" |
| Vary | "Origin" |
Access-Control-Allow-Origin — Specifies which domains are allowed to make requests to the resource. Supports the following values:
- Requests from any domains allowed —
* - Exact value, scheme + domain —
https://example.com
Specifying multiple domains separated by commas is not supported by the CORS standard and will cause an error! Using multiple domains and other dynamic scenarios are implemented at the web server level:
Docker Build
Replace the following line in the configuration file ./conf/nginx/extra/cors.conf with the lines below, specifying your own domains or other pattern:
add_header Access-Control-Allow-Origin "*" always;
- Part of cors.conf configuration file
if ($http_origin ~* ^https?://(example\.com|another\.com)$) {
add_header Access-Control-Allow-Origin "$http_origin" always;
add_header Access-Control-Allow-Credentials "true" always;
}
Apache2/HTTPD
Add the following block to the virtual host configuration file:
- Part of Apache2 virtual host configuration file
<IfModule mod_headers.c>
SetEnvIf Origin "http(s)?://(example\.com|another\.com)$" ORIGIN_ALLOWED=$0
Header always set Access-Control-Allow-Origin "%{ORIGIN_ALLOWED}e" env=ORIGIN_ALLOWED
Header always set Access-Control-Allow-Credentials "true" env=ORIGIN_ALLOWED
Header always set Access-Control-Allow-Methods "GET, POST, PUT, PATCH, DELETE, OPTIONS" env=ORIGIN_ALLOWED
Header always set Access-Control-Allow-Headers "Authorization, Access-Control-Allow-Origin, Access-Control-Allow-Headers,Origin, Accept, X-Requested-With, Content-Type, Access-Control-Request-Method, Access-Control-Request-Headers, X-Browser-Mode, X-Master-Key-Hash, X-CSRF-Token" env=ORIGIN_ALLOWED
Header always set Access-Control-Max-Age "1728000" env=ORIGIN_ALLOWED
Header always set Vary "Origin" env=ORIGIN_ALLOWED
</IfModule>
Access-Control-Allow-Methods — Defines which HTTP methods are allowed for cross-domain requests.
Access-Control-Allow-Headers — Specifies which headers can be sent in cross-domain requests.
Access-Control-Max-Age — Time (in seconds) during which the result of a preflight request can be cached by the browser to avoid performing it every time.
Vary — In the context of CORS, used for proper request handling on CDNs and proxies. Allows correct handling of different Origin requests and caching them separately.