Skip to main content

Deployments & App Management

Automatic security headers for apps

Automatic security headers for apps

We have added default and configurable http security headers to the app, which by default make your app more resistant to click-jacking, iframe and credential stealing. New automatic HTTP security headers functionality to DollarDeploy protect your applications from common web attacks. These headers work at the browser level to prevent vulnerabilities like man-in-the-middle attacks, clickjacking, and data leaks with no performance impact on your application.

How It Works

When your application is deployed, DollarDeploy automatically adds security headers to HTTP responses based on your configuration. These headers tell browsers how to handle security-sensitive behaviors, creating multiple layers of protection against attacks.

The security headers include:

  • HSTS: Forces HTTPS connections to prevent SSL stripping attacks
  • X-Frame-Options: Blocks clickjacking by controlling iframe embedding
  • Referrer-Policy: Controls what information gets sent in referrer headers
  • X-Content-Type-Options: Prevents MIME sniffing attacks

Configuration Options

You can customize the security headers using these environment variables in the app.

APP_HTTP_STRICT_TRANSPORT_SECURITY

Default: max-age=31536000; includeSubDomains; preload
Controls HSTS (HTTP Strict Transport Security) to force HTTPS connections. This prevents attackers from downgrading your secure connections.

APP_HTTP_FRAME_OPTIONS

Default: SAMEORIGIN
Prevents clickjacking attacks by controlling whether your site can be embedded in iframes.

APP_HTTP_REFERRER_POLICY

Default: origin-when-cross-origin
Controls what referrer information gets sent when users navigate from your site to external sites by setting Referrer-Policy header.

APP_HTTP_CONTENT_TYPE_OPTIONS

No default set
When set to nosniff, prevents browsers from MIME-sniffing responses, which can prevent certain types of XSS attacks, by setting X-Content-Type-Options: nosniff header.

APP_HTTP_CSP_HEADER

No default set
Sets the Content-Security-Policy header to prevent XSS attacks and control resource loading. When configured, this header tells browsers which sources are trusted for scripts, styles, images, and other resources.

Benefits

  • Automatic Protection: Security headers are applied automatically without code changes
  • Industry Standards: Configurations follow OWASP10 and security best practices
  • Flexible Configuration: Customize settings based on your application's needs
  • Zero Performance Impact: Headers add minimal bandwidth overhead with no processing cost
  • Browser Compatibility: Works across all modern browsers with graceful degradation

These security headers provide essential protection against common web vulnerabilities and should be considered fundamental security controls for any web application. The default settings provide strong security out of the box, while the configuration options let you customize the behavior for your specific use case.