We're Hiring!

Mattermost, Inc.

Set Custom Headers for Content-Security

I’m trying to set some custom Content-Security headers (below) to Mattermost Server. We have the Mattermost server listening on port 443 directly, without any reverse proxy in front of it. The headers I am trying to set are: (this is Apache format)

Header always set X-Frame-Options “GOFORIT”
Header always set X-XSS-Protection “1; mode=block”
Header always set X-Content-Type-Options: nosniff
Header always set Strict-Transport-Security “max-age=31536000; includeSubDomains”

In the past, I was using a reverse proxy to rewrite these headers however that caused session issues where mobile devices would be logged out weekly, disregarding the session length I had configured in Mattermost Server. Are there any options natively to set these headers?