Headers

General

Headers play a major role in security, helping to reduce the attack surface of various types on a web application.

These headers are used in most modern web applications as they provide a basic level of protection against the most common vulnerabilities.

Passwork Docker Build

Common security headers are included via the include directive in the main Nginx configuration file and are defined in the extra/security-headers.conf file. The Strict-Transport-Security header is set directly in the main configuration file and thus applies to the entire site.

Header	Value
X-Frame-Options	"DENY"
X-Content-Type-Options	"nosniff"
X-XSS-Protection	"1; mode=block"
Referrer-Policy	"strict-origin-when-cross-origin"
Permissions-Policy	"camera=(), microphone=(), geolocation=()"
Strict-Transport-Security	"max-age=31536000; includeSubDomains"

Apache2\HTTPD

Common headers are contained in public/.htaccess. They are applied automatically provided that .htaccess file processing has not been disabled in the Apache configuration. The Strict-Transport-Security header is specified in the configuration examples in the installation instructions.

Header	Value
X-Frame-Options	"DENY"
X-Content-Type-Options	"nosniff"
X-XSS-Protection	"1; mode=block"
Referrer-Policy	"strict-origin-when-cross-origin"
Permissions-Policy	"camera=(), microphone=(), geolocation=()"
Strict-Transport-Security	"max-age=31536000; includeSubDomains"

X-Frame-Options — Defines whether the page can be loaded in a frame, iframe, or object.

X-Content-Type-Options — Prevents browsers from attempting to guess the content type.

X-XSS-Protection — Enables (or disables) built-in XSS protection in older browser versions. Deprecated but may be used for compatibility.

Referrer-Policy — Defines what information the browser sends in the Referer header.

Permissions-Policy — Allows restricting the use of various features, for example: access to camera, microphone, geolocation, and other APIs.

Strict-Transport-Security — Informs the browser that the site must be loaded only via HTTPS, preventing downgrade and MITM attacks.

Cross-Origin Resource Sharing

CORS headers regulate access to site resources from other domains.

info

In most cases, changing or adding CORS headers is not required. They are needed only when the frontend and backend are hosted on different origins — that is, differ by domain, port, or protocol.

Passwork Docker Build

CORS headers are included via the include directive in the main Nginx configuration file and are defined in the extra/cors.conf file.

Header	Value
Access-Control-Allow-Origin	"*"
Access-Control-Allow-Methods	"GET,HEAD,OPTIONS,POST,PUT,PATCH,DELETE"
Access-Control-Allow-Headers	"Authorization, Access-Control-Allow-Origin, Access-Control-Allow-Headers,Origin, Accept, X-Requested-With, Content-Type, Access-Control-Request-Method, Access-Control-Request-Headers, X-Browser-Mode, X-Master-Key-Hash, X-CSRF-Token"
Access-Control-Max-Age	"1728000"
Vary	"Origin"

Apache2\HTTPD

CORS headers are not set by default. If necessary, they can be explicitly set in the Apache2 virtual host configuration, inside a <Directory> block or globally for the entire virtual host.

Header	Value
Access-Control-Allow-Origin	"*"
Access-Control-Allow-Methods	"GET,HEAD,OPTIONS,POST,PUT,PATCH,DELETE"
Access-Control-Allow-Headers	"Authorization, Access-Control-Allow-Origin, Access-Control-Allow-Headers,Origin, Accept, X-Requested-With, Content-Type, Access-Control-Request-Method, Access-Control-Request-Headers, X-Browser-Mode, X-Master-Key-Hash, X-CSRF-Token"
Access-Control-Max-Age	"1728000"
Vary	"Origin"

Access-Control-Allow-Origin — Specifies which domains are allowed to make requests to the resource. Supports the following values:

• Requests from any domains allowed — *
• Exact value, scheme + domain — https://example.com

Specifying multiple domains separated by commas is not supported by the CORS standard and will cause an error! Using multiple domains and other dynamic scenarios are implemented at the web server level:

Docker Build

Replace the line add_header Access-Control-Allow-Origin "*" always; in the configuration file ./conf/nginx/extra/cors.conf with the following lines specifying your own domains or other pattern:

Part of cors.conf configuration file

if ($http_origin ~* ^https?://(example\.com|another\.com)$) {
    add_header Access-Control-Allow-Origin "$http_origin" always;
    add_header Access-Control-Allow-Credentials "true" always;
}

Apache2/HTTPD

Add the following block to the virtual host configuration file:

Part of Apache2 virtual host configuration file

<IfModule mod_headers.c>
    SetEnvIf Origin "http(s)?://(example\.com|another\.com)$" ORIGIN_ALLOWED=$0
    Header always set Access-Control-Allow-Origin "%{ORIGIN_ALLOWED}e" env=ORIGIN_ALLOWED
    Header always set Access-Control-Allow-Credentials "true" env=ORIGIN_ALLOWED
    Header always set Access-Control-Allow-Methods "GET, POST, PUT, PATCH, DELETE, OPTIONS" env=ORIGIN_ALLOWED
    Header always set Access-Control-Allow-Headers "Authorization, Access-Control-Allow-Origin, Access-Control-Allow-Headers,Origin, Accept, X-Requested-With, Content-Type, Access-Control-Request-Method, Access-Control-Request-Headers, X-Browser-Mode, X-Master-Key-Hash, X-CSRF-Token" env=ORIGIN_ALLOWED
    Header always set Access-Control-Max-Age "1728000" env=ORIGIN_ALLOWED
    Header always set Vary "Origin" env=ORIGIN_ALLOWED
</IfModule>

Access-Control-Allow-Methods — Defines which HTTP methods are allowed for cross-domain requests.

Access-Control-Allow-Headers — Specifies which headers can be sent in cross-domain requests.

Access-Control-Max-Age — Time (in seconds) during which the result of a preflight request can be cached by the browser to avoid performing it every time.

Vary — In the context of CORS, used for proper request handling on CDNs and proxies. Allows correct handling of different Origin requests and caching them separately.