Dec 23, 2025
Security headers help protect your application against common web vulnerabilities such as XSS, clickjacking, and MIME sniffing.
Caddy makes adding these headers simple and centralized.
example.com {
header {
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
X-Content-Type-Options "nosniff"
X-Frame-Options "DENY"
X-XSS-Protection "0"
Referrer-Policy "strict-origin-when-cross-origin"
Permissions-Policy "geolocation=(), microphone=(), camera=()"
}
reverse_proxy localhost:3000
}
Strict-Transport-Security (HSTS): Forces browsers to use HTTPS only.
X-Content-Type-Options: Prevents MIME type sniffing.
X-Frame-Options: Protects against clickjacking attacks.
X-XSS-Protection: Disabled intentionally (modern browsers use better protections).
Referrer-Policy: Controls how much referrer information is shared.
Permissions-Policy: Restricts access to sensitive browser features.
If you have multiple sites or routes, you can reuse the same security headers block across them to maintain consistency and reduce mistakes.
Using an IP address instead of a domain TLS certificates require a valid domain name.
Exposing Node.js directly to the internet Caddy should be the only public-facing service.
Running Node.js without a process manager PM2 is essential for production stability.
