Developer forum

Forum » CMS - Standard features » Custom Header separators

Custom Header separators

E-mail notifications
Nuno Aguiar Dynamicweb Employee
Nuno Aguiar
Reply
Posted on 30/10/2025 11:56:58

Hi,

 

In Settings > Web and HTTP > Security, we can set custom headers, using semicolon ';' as a separator between multiple headers.

 

This is mostly because they want to use a custom header for Strict-Transport-Security, which dictates we should really use semi-colons (as values after the comma are sometimes ignored). Here are some sources:

 

In our case we had to customize it (which was not a big deal):

  • We disabled the checkbox for "Enable 'Strict-Transport-Security: max-age={expire-time}' header - HTST" - had to any way
  • We removed the value from Custom Headers
  • We updated the CustomHeaderInclude.cshtml template (it's a Swift site) with 
    • Dynamicweb.Context.Current.Response.AddHeader("Strict-Transport-Security", "max-age=31536000; includeSubDomains; preload");

 

But I wonder if the platform should consider changing the behavior of Custom Headers so we can use it properly? Because this would introduce a breaking change, maybe using a Feature flag to hide the current field and add a new one that would handle it differently?

 

Best Regards,

Nuno Aguiar


Replies

 
Nicolai Pedersen Dynamicweb Employee
Nicolai Pedersen
Posted on 30/10/2025 12:18:57
Reply

Actually you can do this:

Strict-Transport-Security:max-age=31536000;Strict-Transport-Security:includeSubDomains; Strict-Transport-Security:preload;

But I will see if I can change the input field to a textarea and then split by line breaks if present instead of ;

 
Nuno Aguiar Dynamicweb Employee
Nuno Aguiar
Posted on 30/10/2025 12:27:51
Reply

Good point Nicolai. I changed it and remove the template customization

 

Thanks

 
Nuno Aguiar Dynamicweb Employee
Nuno Aguiar
Posted on 30/10/2025 16:02:48
Reply

Turns out that according to https://securityheaders.com/ (that our customer is using as a guideline), there should only be one header for "Strict-Transport-Policy"

That is fine, as I can use the workaround.

 
Nicolai Pedersen Dynamicweb Employee
Nicolai Pedersen
Posted on 30/10/2025 16:40:33
Reply 
Strict-Transport-Security:max-age=31536000;Strict-Transport-Security:includeSubDomains; Strict-Transport-Security:preload;

Will give one header only - at least on DW10

 
Nuno Aguiar Dynamicweb Employee
Nuno Aguiar
Posted on 30/10/2025 18:55:51
Reply

Hi Nicolai,

 

That's fine (only got DW10). Oddly enough I got another request/limitation (from another customer - this time in Rapido). The use of colon within the value. For example

  • default-src 'self' data: 'unsafe-eval' 'unsafe-inline' *.agricover.com googleads.g.doubleclick.net www.google-analytics.com www.google.com *.fontawesome.com stats.g.doubleclick.net  (...)

Notice how we have "data:" as part of the value. I tried URL encoding (%3A) and escaping the value using backslash with no success.

 

If you can take this into consideration as well, would make this feature more robust

(for now I guess I'll have to use the workaround)

 

//Nuno

 

You must be logged in to post in the forum