Wrap your head around custom headers

22 Jun 2017
Larry Garfield
Documentation Director

One of the requests we've gotten in the past few months is the ability to customize the HTTP headers that get sent with static assets. For requests coming from a PHP or Ruby application it's easy enough to send any headers you want, but for static files there was no way to customize the headers. While that seems like an obscure and nerdy feature it's actually quite important. Custom headers are necessary for supporting atypical file types, for CORS security measures, or for "Same-Origin" restrictions to prevent click-jacking.

So we said to ourselves, "selves, we try to be a flexible host, we should just add that feature." And ourselves responded "OK, let's do that."

And it's now available on all new projects, too.

On all new projects you can now specify additional headers to send in your .platform.app.yaml file. Those can apply to all files (say for a Same-Origin or CORS header) or selectively by file extension or any other regular expression. For instance, the following lines will add an X-Frame-Options header to every static file.

web:
    locations:
        "/":
            # ...
            headers:
              X-Frame-Options: SAMEORIGIN

Again, though, that applies only to static files; for responses from your application you can still set whatever headers you need directly in code. See the documentation for more details, and the provided example.

For now this feature is only available for newly created projects. We'll be rolling out updates to existing projects over time. If you want to use it before that just file a support ticket and we'll bump your project to the head of the line.