Check process to insert security headers in nginx config from kong config file

Brandon_Koenig · March 13, 2020, 2:31pm

I would like to know how to set up HSTS headers and security headers in the kong config file. I havent found anything yet.

hbagdi · March 13, 2020, 4:40pm

There is none.

You can use response-transformer plugin to inject the header.

Brandon_Koenig · March 13, 2020, 5:26pm

Hey so the response-transformer is the same as this? but for kong?To configure HSTS in Nginx, add the next entry in nginx.conf under server (SSL) directive

add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload'

hbagdi · March 13, 2020, 5:42pm

Yes, https://docs.konghq.com/hub/kong-inc/response-transformer/

If you want to do it at the Nginx-level, you could use Nginx directive injection to achieve this as well:

DrPyser · April 14, 2021, 9:10pm

Hi!

Same requirements, but request-transformer plugin not working for me: response-transformer global plugin not working (reliably) · Issue #7040 · Kong/kong · GitHub.

Trying to do this through nginx directives injection in the kong config instead(Configuration Reference - v1.4.x | Kong - Open-Source API Management and Microservice Management), but I don’t see how to add multiple ‘add_header’ directives, as only the last such directive in the config is processed by kong.

Edit: only that worked for now is a custom nginx template.