Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.agentfront.dev/llms.txt

Use this file to discover all available pages before exploring further.

FrontMCP applies security headers to every HTTP response, including Content Security Policy (CSP), Strict-Transport-Security (HSTS), X-Frame-Options, and X-Content-Type-Options. Configure them via frontmcp.config server settings --- they are injected as environment variables at build time and read by the built-in middleware.

Quick Start

Add security headers to frontmcp.config.ts: 
import { defineConfig } from '@frontmcp/cli';

export default defineConfig({
  name: 'my-server',
  deployments: [{
    target: 'node',
    server: {
      csp: {
        enabled: true,
        directives: "default-src 'self'; script-src 'self' https://cdn.example.com; upgrade-insecure-requests",
        reportOnly: false,
      },
      headers: {
        hsts: 'max-age=31536000; includeSubDomains',
        contentTypeOptions: 'nosniff',
        frameOptions: 'DENY',
      },
    },
  }],
});
Build and deploy --- headers are applied automatically on every response.

CSP Configuration

FieldTypeDefaultDescription
enabledbooleanfalseEnable CSP headers
directivesstring---Semicolon-separated CSP directives
reportUristring---URI for CSP violation reports
reportOnlybooleanfalseUse Content-Security-Policy-Report-Only instead of enforcement
Value-less CSP directives like upgrade-insecure-requests and block-all-mixed-content are supported. Separate them with semicolons like any other directive.

Example Directives

default-src 'self'; script-src 'self' https://cdn.example.com; style-src 'self' 'unsafe-inline'; img-src *; upgrade-insecure-requests

Security Headers

HeaderConfig FieldDefaultDescription
Strict-Transport-Securityheaders.hsts---HSTS policy for HTTPS enforcement
X-Content-Type-Optionsheaders.contentTypeOptionsnosniffPrevent MIME type sniffing
X-Frame-Optionsheaders.frameOptionsDENYClickjacking protection
Custom headersheaders.custom---Record of additional header name-value pairs
X-Content-Type-Options: nosniff and X-Frame-Options: DENY are applied by default even without explicit configuration. Set them to empty strings to disable.

Environment Variables

All settings are injected as environment variables at build time by the deployment adapter:
VariableMaps To
FRONTMCP_CSP_ENABLEDserver.csp.enabled
FRONTMCP_CSP_DIRECTIVESserver.csp.directives
FRONTMCP_CSP_REPORT_URIserver.csp.reportUri
FRONTMCP_CSP_REPORT_ONLYserver.csp.reportOnly
FRONTMCP_HSTSserver.headers.hsts
FRONTMCP_CONTENT_TYPE_OPTIONSserver.headers.contentTypeOptions
FRONTMCP_FRAME_OPTIONSserver.headers.frameOptions
You can override these at runtime without rebuilding: 
FRONTMCP_CSP_ENABLED=1 \
FRONTMCP_CSP_DIRECTIVES="default-src 'none'" \
FRONTMCP_HSTS="max-age=0" \
node dist/main.js

Programmatic Access

For custom middleware or adapters, use the security header functions directly: 
import {
  readCspFromEnv,
  buildCspHeaderValue,
  getCspHeaderName,
  readSecurityHeadersFromEnv,
  applySecurityHeaders,
} from '@frontmcp/sdk';

// Read configuration from environment
const csp = readCspFromEnv();
const headers = readSecurityHeadersFromEnv();

// Apply to a response
applySecurityHeaders(res, headers, csp);

// Or build the CSP header value manually
if (csp?.enabled) {
  const headerName = getCspHeaderName(csp.reportOnly); // 'Content-Security-Policy' or '...-Report-Only'
  const headerValue = buildCspHeaderValue(csp);
  res.setHeader(headerName, headerValue);
}

Report-Only Mode

Use reportOnly: true to test CSP rules without blocking content: 
server: {
  csp: {
    enabled: true,
    directives: "default-src 'self'",
    reportUri: 'https://report.example.com/csp',
    reportOnly: true,  // violations are reported, not blocked
  },
}
This sets the Content-Security-Policy-Report-Only header instead of Content-Security-Policy, allowing you to monitor violations before enforcing the policy.

Configuration File

Full configuration reference

Production Build

Build and deploy for production