# Headers ## Headers ### Introduction Masonite allows you to easily add security headers to your application. Masonite adds some sensible defaults but you can modify them as you need. ### Configuration All you need to do is add the middleware to your `HTTP_MIDDLEWARE` constant in your `config/middleware.py` file: ```python from masonite.middleware import SecureHeadersMiddleware HTTP_MIDDLEWARE = [ ... SecureHeadersMiddleware, ] ``` This will add these default headers for your server: ```python 'Strict-Transport-Security': 'max-age=63072000; includeSubdomains' 'X-Frame-Options': 'SAMEORIGIN' 'X-XSS-Protection': '1; mode=block' 'X-Content-Type-Options': 'nosniff' 'Referrer-Policy': 'no-referrer, strict-origin-when-cross-origin' 'Cache-control': 'no-cache, no-store, must-revalidate' 'Pragma': 'no-cache' ``` ### Overriding Headers If you want to change or add any headers, you just need to specify them in your config/middleware.py file and this middleware will automatically pick them up. For example you can change the `X-Frame-Options` header like this: {% code title="config/middleware.py" %} ```python SECURE_HEADERS = { 'X-Frame-Options' : 'deny' } ``` {% endcode %} This will then change your headers to: ```python 'Strict-Transport-Security': 'max-age=63072000; includeSubdomains' 'X-Frame-Options': 'deny' 'X-XSS-Protection': '1; mode=block' 'X-Content-Type-Options': 'nosniff' 'Referrer-Policy': 'no-referrer, strict-origin-when-cross-origin' 'Cache-control': 'no-cache, no-store, must-revalidate' 'Pragma': 'no-cache' ``` Notice the change in the new header we changed. ## CORS You may also choose to use CORS for your application for advanced security measures. Using CORS is very similar to the secure headers above. This is easily done through a service provider. {% hint style="info" %} This provider needs to be at the TOP of the `PROVIDERS` array below your `AppProvider` so the request will not be rejected before it enters the lifecycle of the framework. {% endhint %} {% hint style="danger" %} NOTE: The development server is currently NOT strong enough to work with CORS headers as most implementations fire 2 requests at the same time. If testing CORS locally, please use a stronger server like waitress or gunicorn {% endhint %} To get started just import the `CorsProvider` class into your `config/providers.py` file and add it to your `PROVIDERS` list: ```python from masonite.providers import CorsProvider ... PROVIDERS = [ AppProvider, CorsProvider, # Right below the AppProvider ..., ] ``` Then inside your `config/middleware.py` file you can put your CORS headers as a dictionary. Here is a list of sensible defaults: ```python from masonite.middleware import CorsMiddleware ... HTTP_MIDDLEWARE = [ ..., ] ROUTE_MIDDLEWARE = [ ..., ] ... CORS = { 'Access-Control-Allow-Origin': "*", "Access-Control-Allow-Methods": "DELETE, GET, HEAD, OPTIONS, PATCH, POST, PUT", "Access-Control-Allow-Headers": "Content-Type, Accept, X-Requested-With", "Access-Control-Max-Age": "3600", "Access-Control-Allow-Credentials": "true" } ``` Now if you go to a browser you will see these headers being sent as a response from your server. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.masoniteproject.com/v3.0/security/headers.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.