Skip to main content
FrontMCP applies security headers to every HTTP response, including Content Security Policy (CSP), Strict-Transport-Security (HSTS), X-Frame-Options, and X-Content-Type-Options. Configure them via frontmcp.config server settings --- they are injected as environment variables at build time and read by the built-in middleware.

Quick Start

Add security headers to frontmcp.config.ts: 
import { defineConfig } from 'frontmcp';

export default defineConfig({
  name: 'my-server',
  deployments: [{
    target: 'node',
    server: {
      csp: {
        enabled: true,
        directives: {
          'default-src': "'self'",
          'script-src': "'self' https://cdn.example.com",
          'upgrade-insecure-requests': '',
        },
        reportOnly: false,
      },
      headers: {
        hsts: 'max-age=31536000; includeSubDomains',
        contentTypeOptions: 'nosniff',
        frameOptions: 'DENY',
      },
    },
  }],
});
Build and deploy --- headers are applied automatically on every response.

CSP Configuration

FieldTypeDefaultDescription
enabledbooleanfalseEnable CSP headers
directivesRecord<string, string | string[]>---Map of directive name to value(s)
reportUristring---URI for CSP violation reports
reportOnlybooleanfalseUse Content-Security-Policy-Report-Only instead of enforcement
Value-less CSP directives like upgrade-insecure-requests and block-all-mixed-content are supported — set the value to an empty string ('').

Example Directives

directives: {
  'default-src': "'self'",
  'script-src': "'self' https://cdn.example.com",
  'style-src': "'self' 'unsafe-inline'",
  'img-src': '*',
  'upgrade-insecure-requests': '',
}

Security Headers

HeaderConfig FieldDefaultDescription
Strict-Transport-Securityheaders.hsts---HSTS policy for HTTPS enforcement
X-Content-Type-Optionsheaders.contentTypeOptionsnosniffPrevent MIME type sniffing
X-Frame-Optionsheaders.frameOptionsDENYClickjacking protection
Custom headersheaders.custom---Record of additional header name-value pairs
X-Content-Type-Options: nosniff and X-Frame-Options: DENY are applied by default even without explicit configuration. Set them to empty strings to disable.

Environment Variables

All settings are injected as environment variables at build time by the deployment adapter:
VariableMaps To
FRONTMCP_CSP_ENABLEDserver.csp.enabled
FRONTMCP_CSP_DIRECTIVESserver.csp.directives
FRONTMCP_CSP_REPORT_URIserver.csp.reportUri
FRONTMCP_CSP_REPORT_ONLYserver.csp.reportOnly
FRONTMCP_HSTSserver.headers.hsts
FRONTMCP_CONTENT_TYPE_OPTIONSserver.headers.contentTypeOptions
FRONTMCP_FRAME_OPTIONSserver.headers.frameOptions
You can override these at runtime without rebuilding: 
FRONTMCP_CSP_ENABLED=1 \
FRONTMCP_CSP_DIRECTIVES="default-src 'none'" \
FRONTMCP_HSTS="max-age=0" \
node dist/main.js

Programmatic Access

For built-in HTTP transport targets, FrontMCP applies the configured security headers during HTTP response handling. For custom transport adapters, header application is your adapter’s responsibility — wire equivalent logic into the response pipeline yourself. The internal helper utilities are not part of the public @frontmcp/sdk API; if you need them re-exported, open a feature request rather than importing from repository-internal source paths.

Report-Only Mode

Use reportOnly: true to test CSP rules without blocking content: 
server: {
  csp: {
    enabled: true,
    directives: {
      'default-src': "'self'",
    },
    reportUri: 'https://report.example.com/csp',
    reportOnly: true,  // violations are reported, not blocked
  },
}
This sets the Content-Security-Policy-Report-Only header instead of Content-Security-Policy, allowing you to monitor violations before enforcing the policy.

Configuration File

Full configuration reference

Production Build

Build and deploy for production