Skip to content

Security Headers

nsin can add a small set of response security headers to your site’s HTTPS traffic. They are off by default and configured per domain, so you turn on only what you want, when you’re ready.

These are separate from the automatic Nsn-* proxy headers: those identify the visitor and are always present on proxied records; the security headers here are opt-in and change how browsers treat your responses.

  1. Open your nsin dashboard.
  2. Go to your domain’s Settings.
  3. Find the Security Headers section and toggle the ones you want.

Changes apply to new requests within a few seconds. You can turn any of them back off at any time.

ToggleHeader setWhat it does
No MIME sniffingX-Content-Type-Options: nosniffTells browsers to trust the exact Content-Type your origin sends instead of guessing, which blocks a class of content-type–confusion attacks.
Referrer policyReferrer-Policy: strict-origin-when-cross-originTrims the referrer sent to other sites to just your domain (no path or query). Matches the modern browser default.
Strip fingerprint headersremoves X-Powered-By, X-AspNet-Version, X-AspNetMvc-Version, X-Generator, X-Drupal-Cache, X-RuntimeRemoves headers that reveal your backend stack and version. They’re informational only, so removing them is safe for virtually all sites.
  • Your origin always wins. For nosniff and Referrer-Policy, nsin only adds the header when your origin didn’t already send one — so a stricter policy you set yourself is never overridden.
  • HTTPS only. The headers are added to secure responses; the http → https redirect stays untouched.
  • Independent. Each toggle is separate — enable one, two, or all three.

A good rollout: enable one header, load your site in a fresh browser tab, and confirm everything still works before enabling the next.

nsin does not invent a Content-Security-Policy, CORS policy, or framing policy for you — those encode decisions only your application can make, and a wrong value would break your site. The toggles above are the safe, general-purpose set. If you need a custom CSP or CORS policy, set it on your origin and nsin will pass it through unchanged.

See also Proxy Headers for the headers nsin adds automatically.