Custom headers enable security enhancements, request routing, and API versioning. NGINX Ingress Controller provides flexible header manipulation capabilities.
Adding Response Headers
Add custom headers to responses:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: custom-headers
annotations:
nginx.ingress.kubernetes.io/configuration-snippet: |
more_set_headers "X-Custom-Header: value";
more_set_headers "X-API-Version: v1";
spec:
ingressClassName: nginx
rules:
- host: example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: web-service
port:
number: 80
Security Headers
Add security headers:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: security-headers
annotations:
nginx.ingress.kubernetes.io/configuration-snippet: |
more_set_headers "X-Frame-Options: DENY";
more_set_headers "X-Content-Type-Options: nosniff";
more_set_headers "X-XSS-Protection: 1; mode=block";
more_set_headers "Strict-Transport-Security: max-age=31536000; includeSubDomains";
more_set_headers "Content-Security-Policy: default-src 'self'";
spec:
ingressClassName: nginx
tls:
- hosts:
- example.com
secretName: tls-secret
rules:
- host: example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: web-service
port:
number: 80
Request Header Manipulation
Modify request headers before forwarding:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: request-headers
annotations:
nginx.ingress.kubernetes.io/upstream-vhost: "internal-service.default.svc.cluster.local"
nginx.ingress.kubernetes.io/configuration-snippet: |
more_set_input_headers "X-Real-IP: $remote_addr";
more_set_input_headers "X-Forwarded-For: $proxy_add_x_forwarded_for";
spec:
ingressClassName: nginx
rules:
- host: example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: web-service
port:
number: 80
Header-Based Routing
Route based on headers:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: header-routing
annotations:
nginx.ingress.kubernetes.io/server-snippet: |
if ($http_x_api_version = "v2") {
return 307 https://api-v2.example.com$request_uri;
}
spec:
ingressClassName: nginx
rules:
- host: api.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: api-service
port:
number: 8080
Removing Headers
Remove sensitive headers:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: remove-headers
annotations:
nginx.ingress.kubernetes.io/configuration-snippet: |
more_clear_headers "X-Powered-By";
more_clear_headers "Server";
spec:
ingressClassName: nginx
rules:
- host: example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: web-service
port:
number: 80
Global Headers via ConfigMap
Set headers globally:
apiVersion: v1
kind: ConfigMap
metadata:
name: nginx-configuration
namespace: ingress-nginx
data:
add-headers: "ingress-nginx/custom-headers"
---
apiVersion: v1
kind: ConfigMap
metadata:
name: custom-headers
namespace: ingress-nginx
data:
X-Custom-Header: "global-value"
X-Frame-Options: "DENY"
Best Practices
- Security headers: Always set security headers
- Remove server info: Hide server version and technology
- Use HTTPS: Set HSTS header for HTTPS sites
- Test headers: Verify headers are set correctly
- Document custom headers: Keep track of header purposes
Conclusion
Custom headers enhance security, enable routing logic, and provide metadata. Use them strategically to improve your application's security posture and functionality.