Configure application headers

An application configuration file can define headers specific to the application or service.

You can customize the header information sent in a HTTP request in a number of ways. You can set custom headers by coding them in your Genero application, or you can add customized HTTP headers to the application or service configuration.

Request headers in the application or service configuration can be useful for passing additional information in the request. One use case would be to add special authentication information, such as tokens, to the headers of HTTP requests.

The GAS configuration has two elements to configure custom HTTP headers:
  • The HEADER element defined in the GAS configuration file (as.xcf). HTTP headers defined here are common to all applications.
  • The HEADER element defined in the application configuration file.

A typical use case for common HTTP headers sets the HTTP Strict Transport Security (HSTS) headers that comply with Open Web Application Security Project (OWASP) recommendations. These headers would apply to all applications; the best practice recommendation is to set them in the GAS configuration file. For examples, see the HEADER (Common) reference topic.

If you need to add additional headers on a per application or service basis, you can set these with a dedicated HEADER tag in the HTTP element of the application configuration file. The GAS adds these headers to every HTTP request to the application or service URL, in addition to the common headers.

In requests to the GAS where the application URL is not used, the common headers are always sent; however, the GAS does not send the dedicated headers. Examples of such requests include requests for public resources, such as images (/ua/i), and reports (/ua/report/). For more information on the use of these headers, see the HEADER (Dedicated) topic.