This page is about Caddy 1 and will stay here forever.

User Guide


header can manipulate response headers.

Note that if you wish to remove response headers from a proxied backend, you must do so in the proxy directive.


header path name value

This directive can be used multiple times, or you can group multiple custom header fields for the same path:

header path { name value }


Custom header for all pages:

header / X-Custom-Header "My value"

Strip the "Hidden" field from header:

header / -Hidden

Multiple custom headers for a specific path, while removing the Server field:

header /api { Access-Control-Allow-Origin * Access-Control-Allow-Methods "GET, POST, OPTIONS" -Server }

Add some security headers to all pages:

header / { # Enable HTTP Strict Transport Security (HSTS) to force clients to always # connect via HTTPS (do not use if only testing) Strict-Transport-Security "max-age=31536000;" # Enable cross-site filter (XSS) and tell browser to block detected attacks X-XSS-Protection "1; mode=block" # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type X-Content-Type-Options "nosniff" # Disallow the site to be rendered within a frame (clickjacking protection) X-Frame-Options "DENY" }

Need help with this feature?

Join us in the Caddy forum, where the open source community gathers to share their knowledge.

Does your company use Caddy?

Purchase a commercial license to use Caddy with your business and for basic email support, along with other benefits!