Add: AutoCert: CSRFField: CSRFSecret: Certs: Exceptions: Headers: LogDir: Logs: Methods: Remove: Replace: Routes: SkipDetection: URLLength: UploadSizeMB: UploadTypes: WAF:

Headers

Add some custom headers with Headers param:

Headers:
    Content-Security-Policy: default-src 'self'
    Feature-Policy: "autoplay none; camera none; display-capture none; document-domain none; encrypted-media none; fullscreen none; geolocation none; microphone none; midi none; notifications none; push none; sync-xhr none; magnetometer none; gyroscope none; speaker self; vibrate none; fullscreen self; payment none; "

Remove unwanted headers

Prefix header with “-” to remove header:

Headers:
    -Server:
    -X-Ruxy:

Default headers

For security reasons some sefault headers are set by default:

X-Frame-Options: sameorigin
X-XSS-Protection: 1; mode=block
Referrer-Policy: same-origin
Referrer-Policy: no-referrer
Strict-Transport-Security:

And some removed:

Server
X-Version
X-Powered-By
X-AspNet-Version
X-AspNetMvc-Version