Security Headers
nsin can add a small set of response security headers to your site’s HTTPS traffic. They are off by default and configured per domain, so you turn on only what you want, when you’re ready.
These are separate from the automatic Nsn-* proxy headers:
those identify the visitor and are always present on proxied records; the
security headers here are opt-in and change how browsers treat your
responses.
Where to configure
Section titled “Where to configure”- Open your nsin dashboard.
- Go to your domain’s Settings.
- Find the Security Headers section and toggle the ones you want.
Changes apply to new requests within a few seconds. You can turn any of them back off at any time.
Available headers
Section titled “Available headers”| Toggle | Header set | What it does |
|---|---|---|
| No MIME sniffing | X-Content-Type-Options: nosniff | Tells browsers to trust the exact Content-Type your origin sends instead of guessing, which blocks a class of content-type–confusion attacks. |
| Referrer policy | Referrer-Policy: strict-origin-when-cross-origin | Trims the referrer sent to other sites to just your domain (no path or query). Matches the modern browser default. |
| Strip fingerprint headers | removes X-Powered-By, X-AspNet-Version, X-AspNetMvc-Version, X-Generator, X-Drupal-Cache, X-Runtime | Removes headers that reveal your backend stack and version. They’re informational only, so removing them is safe for virtually all sites. |
How they behave
Section titled “How they behave”- Your origin always wins. For
nosniffandReferrer-Policy, nsin only adds the header when your origin didn’t already send one — so a stricter policy you set yourself is never overridden. - HTTPS only. The headers are added to secure responses; the
http → httpsredirect stays untouched. - Independent. Each toggle is separate — enable one, two, or all three.
Before you enable
Section titled “Before you enable”A good rollout: enable one header, load your site in a fresh browser tab, and confirm everything still works before enabling the next.
What nsin does not do here
Section titled “What nsin does not do here”nsin does not invent a Content-Security-Policy, CORS policy, or framing policy for you — those encode decisions only your application can make, and a wrong value would break your site. The toggles above are the safe, general-purpose set. If you need a custom CSP or CORS policy, set it on your origin and nsin will pass it through unchanged.
See also Proxy Headers for the headers nsin adds automatically.