Does Astro HTTP inject default headers?

No. Astro HTTP injects nothing by default. Only headers explicitly enabled in the config file are sent.

Does Astro HTTP mutate headers at runtime?

No. All headers are resolved once, frozen, and applied deterministically via Astro middleware.

What happens if the config fails to load?

The plugin fails closed. No headers are applied if the configuration cannot be safely loaded.

Astro Integration

Astro HTTP

Declarative, fail-closed HTTP response headers for Astro — no defaults, no mutation, no magic.

npm package GitHub repository

Usage snapshot

239

Downloads in the last 30 days

Latest npm version · v1.0.1

Source: npm registry

Why this plugin exists

HTTP response headers control security, privacy, caching, and browser behaviour — yet are often managed through opaque defaults or layered middleware.

Astro HTTP gives you a single, explicit configuration file as the sole source of truth for which headers exist.

If a header is not enabled, it does not exist. If configuration fails, no headers are applied.

What it delivers

Design principles

Fail-closed security model
Single source of truth configuration
Zero implicit defaults
No runtime mutation
Auditable, boring behaviour

What this plugin does

Declarative HTTP response header configuration
Explicit enable/disable per header
Security header enforcement
Cross-origin isolation controls
Cache and legacy header support
Custom header passthrough
Deep-frozen configuration
Fails closed on error

Installation

npm install astro-http

On first run, a default astro-http.config.js file is generated in the project root and never overwritten.

Project links

Source code, releases, documentation, and contribution guidelines.

npm package GitHub repository

Want the deep dive?

Read the FAQs for implementation details, design rationale, and integration guidance.

View plugin FAQs