The HTML generator recognizes certain HTTP headers that could be collectively named security headers. If metadata tags with the same names as these are used, they are copied into the generated HTML verbatim. This includes:
Tag |
Description |
Access-Control-Allow-Origin |
Allows you to define a Cross-origin resource sharing (CORS) header. |
Cache-Control |
Overrides the default Cache-Control header generated by the renderer. Together with the Vary meta-tag they provide a means to control how the generated page will be cached. |
Content-Security-Policy |
Defines the expected behavior of the page. |
Public-Key-Pins |
Tells clients to pin a specific public key, decreasing the risk of Man-In-The-Middle (MITM) attacks. |
Strict-Transport-Security |
Forces clients to connect to the page using HTTPS. |
Sunset |
Flags content for removal at a given (future) time. |
Vary |
Together with the Cache-Control header, defines how the page can be cached. |