Response headers shape how a browser treats every byte that follows them. addResponseHeaderAction lets you experiment with new policies, security headers, CORS, caching, before any change ships to the upstream service, which shortens the feedback loop from days to seconds.
Use addResponseHeaderAction when you want to test or enforce a response header that the upstream server does not yet emit. This is the fastest way to validate the impact of a new security or caching policy before shipping it server side.
Typical situations include:
Content-Security-Policy on a real site to find which inline scripts or third party assets break.Strict-Transport-Security for browsers on a domain that has not enabled HSTS yet.Access-Control-Allow-Origin while a backend team prepares the proper CORS configuration.The action evaluates on the responseHeaderReceivedFromRemote scope, so it runs after the upstream response has been parsed but before it reaches the client. HTTP/2 pseudo headers are skipped automatically.
See the report of violations in the browser console without changing the origin server. Quick way to scope a CSP rollout.
rules:
- filter:
typeKind: HtmlResponseFilter
actions:
- typeKind: AddResponseHeaderAction
headerName: content-security-policy
headerValue: "default-src 'self'; img-src 'self' data:; script-src 'self'"
Useful when a single page app talks to a backend that does not yet emit CORS headers. Restrict by host to avoid leaking the policy to other origins.
rules:
- filter:
typeKind: HostFilter
pattern: api.example.com
actions:
- typeKind: AddResponseHeaderAction
headerName: Access-Control-Allow-Origin
headerValue: "*"
Pin browsers to HTTPS by injecting Strict-Transport-Security for a year. Combine with an isSecureFilter so the header is never added to plain HTTP responses.
rules:
- filter:
typeKind: FilterCollection
operation: And
children:
- typeKind: HostFilter
pattern: www.example.com
- typeKind: IsSecureFilter
actions:
- typeKind: AddResponseHeaderAction
headerName: Strict-Transport-Security
headerValue: "max-age=31536000; includeSubDomains"
Append a response header. H2 pseudo header will be ignored.
Evaluation scope defines the timing where this filter will be applied.
responseHeaderReceivedFromRemote This scope occurs the moment fluxzy has done parsing the response header.
addResponseHeaderAction
The following table describes the customizable properties available for this action:
| Property | Type | Description | DefaultValue |
|---|---|---|---|
| headerName | string | ||
| headerValue | string |
The following examples apply this action to any exchanges
Add a content-security-policy header on response.
rules:
- filter:
typeKind: AnyFilter
actions:
- typeKind: AddResponseHeaderAction
headerName: content-security-policy
headerValue: default-src 'none'
View definition of AddResponseHeaderAction for .NET integration.
The following actions are related to this action:
No. It is appended. If the response already has the header, both will be present. Use updateResponseHeaderAction when you need to override the upstream value.
You can, but setResponseCookieAction is friendlier because it handles cookie attributes like Path, Domain, and SameSite for you.
Yes. HTTP/2 pseudo headers are ignored as documented, but regular response headers are added normally.
Browsers cache responses. Reload with cache disabled, or strip cache headers with removeCacheAction so the policy is enforced on the next page load.