{"id":25494199,"url":"https://github.com/mridang/traefik-superheader","last_synced_at":"2025-10-10T22:32:31.538Z","repository":{"id":276112974,"uuid":"928106011","full_name":"mridang/traefik-superheader","owner":"mridang","description":"A traefik plugin to add the most common headers to HTTP requests","archived":false,"fork":false,"pushed_at":"2025-09-08T03:36:32.000Z","size":379,"stargazers_count":0,"open_issues_count":4,"forks_count":0,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-10-10T22:32:12.057Z","etag":null,"topics":["headers","http-headers","middleware","owasp","security","traefik","traefik-middleware","traefik-plugin"],"latest_commit_sha":null,"homepage":"https://plugins.traefik.io/plugins/67b83299b48ad97c67d7ecc3/superheader-plugin","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mridang.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-02-06T04:18:50.000Z","updated_at":"2025-06-10T09:57:19.000Z","dependencies_parsed_at":null,"dependency_job_id":"ac499383-a8ce-42d1-902a-7b5fbee73f7f","html_url":"https://github.com/mridang/traefik-superheader","commit_stats":null,"previous_names":["mridang/traefik-superheader"],"tags_count":6,"template":false,"template_full_name":null,"purl":"pkg:github/mridang/traefik-superheader","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mridang%2Ftraefik-superheader","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mridang%2Ftraefik-superheader/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mridang%2Ftraefik-superheader/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mridang%2Ftraefik-superheader/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mridang","download_url":"https://codeload.github.com/mridang/traefik-superheader/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mridang%2Ftraefik-superheader/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":279005463,"owners_count":26083902,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-10T02:00:06.843Z","response_time":62,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["headers","http-headers","middleware","owasp","security","traefik","traefik-middleware","traefik-plugin"],"created_at":"2025-02-18T23:19:29.091Z","updated_at":"2025-10-10T22:32:31.529Z","avatar_url":"https://github.com/mridang.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Superheader - OWASP Headers for Traefik\n\n**Superheader** is a plugin for Traefik that adds the necessary headers\nto responses to help secure web applications.\n\nThe headers set are adhere to the recommendations of the OWASP Secure Headers \nProject https://owasp.org/www-project-secure-headers/\n\n##### Why ?\n\nWhile there is third-party middleware for almost all frameworks e.g. Helmet for\nExpress (Node) and Spring Security for Spring (Java), using this\nmiddleware make it simple to secure all your web applications.\n\n## Usage\n\nFor a plugin to be active for a given Traefik instance, it must be declared in\nthe static configuration.\n\n```yaml\nexperimental:\n  plugins:\n    superheader:\n      moduleName: \"github.com/mridang/traefik-superheader\"\n      version: \"v1.0.0\"\n```\n\n##### Example 1: Traefik Configuration Using YAML\n\n```yaml\nhttp:\n  routers:\n    my-router:\n      rule: \"Host(`example.com`)\"\n      entryPoints:\n        - web\n      middlewares:\n        - my-middleware  # Apply the middleware to the router\n\nmiddlewares:\n  superheader:\n    plugin:\n      superheader:\n        x-frame-options: DENY\n        x-dns-prefetch-control: off\n        x-content-type-options: nosniff\n        strict-transport-security: max-age=31536000; includeSubDomains\n        referrer-policy: no-referrer\n        x-xss-protection: 1; mode=block\n        cross-origin-opener-policy: same-origin\n        cross-origin-embedder-policy: require-corp\n        cross-origin-resource-policy: same-origin\n        origin-agent-cluster: ?1\n        x-permitted-cross-domain-policies: master-only\n        remove-powered-by: on\n```\n\n##### Example 2: Traefik Configuration Using CLI Args\n\nThis example shows you how to load and configure the plugin using the command-line\narguments.\n\n```shell\ntraefik \\\n  --entryPoints.web.address=:80 \\\n  --providers.file.filename=traefik.yml \\\n  --experimental.plugins.superheader.moduleName=github.com/mridang/traefik-superheader \\\n  --experimental.plugins.superheader.version=v0.1.0 \\\n  --http.middlewares.superheader.plugin.superheader.x-frame-options=DENY \\\n  --http.middlewares.superheader.plugin.superheader.x-dns-prefetch-control=off \\\n  --http.middlewares.superheader.plugin.superheader.x-content-type-options=nosniff \\\n  --http.middlewares.superheader.plugin.superheader.strict-transport-security=\"max-age=31536000; includeSubDomains\" \\\n  --http.middlewares.superheader.plugin.superheader.referrer-policy=no-referrer \\\n  --http.middlewares.superheader.plugin.superheader.x-xss-protection=\"1; mode=block\" \\\n  --http.middlewares.superheader.plugin.superheader.cross-origin-opener-policy=same-origin \\\n  --http.middlewares.superheader.plugin.superheader.cross-origin-embedder-policy=require-corp \\\n  --http.middlewares.superheader.plugin.superheader.cross-origin-resource-policy=same-origin \\\n  --http.middlewares.superheader.plugin.superheader.origin-agent-cluster=\"?1\" \\\n  --http.middlewares.superheader.plugin.superheader.x-permitted-cross-domain-policies=master-only \\\n  --http.middlewares.superheader.plugin.superheader.remove-powered-by=on\n```\n\n##### Example 3: Usage in Docker Compose\n\n```yaml\nservices:\n  traefik:\n    image: traefik:3.3.3\n    ports:\n      - \"7080:80\"\n    command:\n      - --api.dashboard=false\n      - --api.insecure=false\n      - --log.level=DEBUG\n      - --experimental.plugins.superheader.moduleName=github.com/mridang/traefik-superheader\n      - --providers.docker=true\n      - --entrypoints.web.address=:80\n    volumes:\n      - '/var/run/docker.sock:/var/run/docker.sock'\n    labels:\n      - traefik.enable=true\n      - traefik.http.services.traefik.loadbalancer.server.port=8080\n\n  # A sample service that uses the middleware with the defaults\n  foo:\n    image: traefik/whoami\n    labels:\n      - traefik.enable=true\n      - traefik.http.routers.foo.rule=PathPrefix(`/foo`)\n      - traefik.http.routers.foo.middlewares=securefoo\n      - traefik.http.middlewares.securefoo.plugin.superheader=true\n      - traefik.http.routers.foo.entrypoints=web\n\n  # A sample service that uses the middleware with custom options\n  bar:\n    image: traefik/whoami\n    labels:\n      - traefik.enable=true\n      - traefik.http.routers.bar.rule=PathPrefix(`/bar`)\n      - traefik.http.routers.bar.middlewares=securebar\n      - traefik.http.middlewares.securebar.plugin.superheader.x-frame-options=\"DENY\"\n      - traefik.http.routers.bar.entrypoints=web\n\n  # A sample service that does not use the middleware at all\n  baz:\n    image: traefik/whoami\n    labels:\n      - traefik.enable=true\n      - traefik.http.routers.baz.rule=PathPrefix(`/baz`)\n      - traefik.http.routers.baz.entrypoints=web\n```\n\nOnce the middleware has been installed, you can test the security of your web\napplication using the test suite on MDN https://observatory.mozilla.org/\n\n### Options\n\nThe middleware exposes a few options to allow customising the behaviour. To make\nit harder to misconfigure the plugin all the keys and values are lowercased. All\nthe values are case-insensitive.\n\n#### Configuring the X-Frame-Options Header\n\nThis header can be configured by the \"x-frame-options\" header to control whether\na browser should be allowed to render a page in a `\u003cframe\u003e`, `\u003ciframe\u003e`,\n`\u003cembed\u003e`, or `\u003cobject\u003e`.\n\nThe valid values are as follows:\n\n- `deny`: Prevents any domain from framing the content. (Default)\n- `sameorigin`: Allows the same domain to frame the content.\n\nFor more information,\nvisit: [MDN: X-Frame-Options](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options)\n\n#### Configuring the X-DNS-Prefetch-Control Header\n\nThis header can be configured by the \"x-dns-prefetch-control\" header to control DNS\nprefetching.\n\nThe valid values are as follows:\n\n- `on`: Enables DNS prefetching. (Default)\n- `off`: Disables the setting of the header\n\nFor more information,\nvisit: [MDN: X-DNS-Prefetch-Control](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-DNS-Prefetch-Control)\n\n#### Configuring the X-Content-Type-Options Header\n\nThis header can be configured by the \"x-content-type-options\" header to tell\nthe browser to not sniff the MIME type of the content.\n\nThe valid values are as follows:\n\n- `on`: Prevents browsers from attempting to infer the MIME type. (Default)\n- `off`: Disables the setting of the header\n\nFor more information,\nvisit: [MDN: X-Content-Type-Options](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options)\n\n#### Configuring the Strict-Transport-Security Header\n\nThis header can be configured by the \"strict-transport-security\" header to\nenforce secure (HTTPS) connections to the server.\n\nThe valid values are as follows:\n\n- `on`: Enforces HTTPS for the specified duration and includes all subdomains. (Default)\n- `off`: Disables the setting of the header\n\nFor more information,\nvisit: [MDN: Strict-Transport-Security](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security)\n\n#### Configuring the Referrer-Policy Header\n\nThis header can be configured by the \"referrer-policy\" header to control how\nmuch referrer information should be included with requests.\n\nThe valid values are as follows:\n\n- `on` | `no-referrer`: No referrer information is sent. (Default)\n- `no-referrer-when-downgrade`: Referrer is sent for same-origin requests,\n  but not for cross-origin requests to HTTP.\n- `origin`: Only the origin is sent as the referrer.\n- `origin-when-cross-origin`: Sends the full URL as referrer for same-origin\n  requests and only the origin for cross-origin.\n- `same-origin`: Sends the full URL as referrer only for same-origin requests.\n- `strict-origin`: Only the origin is sent as referrer for same-origin\n  requests.\n- `strict-origin-when-cross-origin`: Sends the origin as referrer for\n  same-origin requests, and the origin for cross-origin requests.\n- `unsafe-url`: Always sends the full URL as referrer.\n- `off`: Disables the setting of the header\n\nFor more information,\nvisit: [MDN: Referrer-Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy)\n\n#### Configuring the X-XSS-Protection Header\n\nThis header can be configured by the \"x-xss-protection\" header to enable or\ndisable cross-site scripting (XSS) filters built into most modern browsers.\n\nThe valid values are as follows:\n\n- `on`: Enables the XSS filter. (Default)\n- `block`: Enables the XSS filter and blocks the page if an attack\n  is detected.\n- `off`: Disables the XSS filter.\n\nFor more information,\nvisit: [MDN: X-XSS-Protection](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection)\n\n#### Configuring the Cross-Origin-Opener-Policy Header\n\nThis header can be configured by the \"cross-origin-opener-policy\" header to\ncontrol the interaction between the browsing context (window or tab) and other\ncontexts (e.g., windows or tabs from other origins).\n\nThe valid values are as follows:\n\n- `on` | `same-origin`: Only allows interactions with the same-origin windows.\n- `unsafe-none`: Allows all interactions with other contexts.\n- `same-origin-allow-popups`: Allows same-origin windows to interact with\n  the opener, but blocks cross-origin ones.\n- `noopener-allow-popups`: Allows interaction with popups, but blocks other\n  contexts.\n- `off`: Disables the setting of the header\n\nFor more information,\nvisit: [MDN: Cross-Origin-Opener-Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Opener-Policy)\n\n#### Configuring the Cross-Origin-Embedder-Policy Header\n\nThis header can be configured by the \"cross-origin-embedder-policy\" header\nto control the resources that can be embedded by a document.\n\nThe valid values are as follows:\n\n- `on` | `require-corp`: Requires cross-origin resources to be explicitly marked\n  as permissive. (Default)\n- `unsafe-none`: Allows all cross-origin resources to be embedded.\n- `credentialless`: Requires cross-origin resources to allow for credentials\n  to be omitted.\n- `off`: Disables the setting of the header\n\nFor more information,\nvisit: [MDN: Cross-Origin-Embedder-Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Embedder-Policy)\n\n#### Configuring the Cross-Origin-Resource-Policy Header\n\nThis header can be configured by the \"cross-origin-resource-policy\" header\nto control the cross-origin requests that a resource can make.\n\nThe valid values are as follows:\n\n- `on` | `same-origin`: Only allows requests from the same origin. (Default)\n- `same-site`: Allows requests from the same site.\n- `cross-origin`: Allows all cross-origin requests.\n- `off`: Disables the setting of the header\n\nFor more information,\nvisit: [MDN: Cross-Origin-Resource-Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Resource-Policy)\n\n#### Configuring the Origin-Agent-Cluster Header\n\nThis header can be configured by the \"origin-agent-cluster\" header to allow\nfor isolating resources by user agent.\n\nThe valid values are as follows:\n\n- `on`: Enables origin agent clustering.\n- `off`: Disables the setting of the header\n\nFor more information,\nvisit: [MDN: Origin-Agent-Cluster](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Origin-Agent-Cluster)\n\n#### Configuring the X-Permitted-Cross-Domain-Policies Header\n\nThis header can be configured by the \"x-permitted-cross-domain-policies\"\nheader to control the permissible cross-domain policies.\n\nThe valid values are as follows:\n\n- `none`: No cross-domain policies are allowed.\n- `master-only`: Only the master policy is allowed.\n- `by-content-type`: Policies can be defined by content type.\n- `by-ftp-filename`: Policies can be defined by FTP filename.\n- `all`: All cross-domain policies are allowed.\n- `none-this-response`: No policies are allowed for the current response.\n- `off`: Disables the setting of the header\n\nFor more information,\nvisit: [MDN: X-Permitted-Cross-Domain-Policies](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Permitted-Cross-Domain-Policies)\n\n#### Configuring the removal of headers\n\nThe OWASP guidelines recommend the removal of certain headers to prevent\ninformation disclosure. This feature can be toggled.\n\nThe valid values are as follows:\n\n- `on`: Removes the sensitive headers.\n- `off`: Disabled the removal of headers\n\nFor more information,\nvisit: [OWASP: Remove Headers](https://owasp.org/www-project-secure-headers/ci/headers_remove.json)\n\n## Caveats\n\nNone.\n\n## Contributing\n\nContributions are welcome! If you find a bug or have suggestions for improvement,\nplease open an issue or submit a pull request.\n\n## License\n\nApache License 2.0 © 2024 Mridang Agarwalla\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmridang%2Ftraefik-superheader","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmridang%2Ftraefik-superheader","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmridang%2Ftraefik-superheader/lists"}