fusionauth-issues icon indicating copy to clipboard operation
fusionauth-issues copied to clipboard
verified publisher icon FusionAuth

Support general configuration to write HTTP response headers from FusionAuth

Open robotdan opened this issue 4 years ago • 2 comments

Support general configuration to write HTTP response headers from FusionAuth

Description

There are some security related headers that we may want to write, and these types of headers change and may be specific per client.

We could optionally expose a key value pair configuration to allow HTTP headers to be written to the HTTP response by FusionAuth.

This config would exist on the System Configuration and be applied to all HTTP responses regardless of tenant.

Related

  • https://securityheaders.com/ is one such website that suggests particular HTTP headers
  • https://github.com/FusionAuth/fusionauth-issues/issues/1003
  • https://github.com/FusionAuth/fusionauth-issues/issues/2095

Community guidelines

All issues filed in this repository must abide by the FusionAuth community guidelines.

robotdan avatar Dec 02 '21 21:12 robotdan

This would be nice for HSTS as well.

voidmain avatar Apr 16 '24 00:04 voidmain

+1 for HSTS. A customer of ours had concerns around the lack of HSTS on our hosted login page.

davekuyper avatar Apr 16 '24 16:04 davekuyper

@davekuyper please don't forget to upvote the issue, as that helps bubble it up for implementation.

mooreds avatar Aug 01 '24 20:08 mooreds

Might be nice to have this configurable on a tenant by tenant basis as well. If you are a true SaaS private labeling FusionAuth, different tenants might have different requirements.

mooreds avatar Aug 01 '24 20:08 mooreds