Skip to content

HTTP Headers

HTTP Headers allow you to define additional response headers that are sent by the web server to clients (browsers, applications, or APIs).
These headers can be used to control cross-origin requests (CORS), enforce security policies, and customize server behavior.


How to add headers

When adding HTTP headers to your application, navigate to the account it is linked to.
Select Edit in the Application widget, next to the application you want to update.

Navigate to the HTTP header section to add the necessary headers
Below you can find an example of an HTTP header configuration:

When all Headers are added, scroll down and press Update Application to save the changes for the application.

Strict-Transport-Security header

Enabling Force HTTPS automatically adds the Strict-Transport-Security header with max-age=31536000 if it does not already exist.
Adding the Strict-Transport-Security header automatically enables Force HTTPS.


The following options can be selected:

Header Description Example Value Explanation
Access-Control-Allow-Origin Defines which domains are allowed to access your API (CORS). https://app.example.com Only this specific frontend domain is allowed to make requests to your server.
Access-Control-Allow-Methods Specifies which HTTP methods are allowed. GET, POST, PUT, DELETE Allows standard CRUD operations from the client.
Access-Control-Allow-Headers Defines which request headers are allowed from the client. Content-Type, Authorization Allows clients to send JSON data and authentication tokens.
Access-Control-Max-Age How long preflight requests can be cached by the browser (in seconds). 86400 The browser caches CORS checks for 24 hours to reduce repeated preflight requests.
Access-Control-Allow-Credentials Allows cookies and authentication credentials in cross-origin requests. true Enables sessions / cookies to be included in API requests.