Velohost Velohost

Astro Integration

Astro HTTP

Declarative, fail-closed HTTP response headers for Astro — no defaults, no mutation, no magic.

Last Updated: 01 April 2026

npm Package GitHub Repository

Usage Snapshot

154

Downloads in Last 30 Days

v1.0.2

Latest npm Version

Source: npm registry

Why This Plugin Exists

HTTP response headers control security, privacy, caching, and browser behaviour — yet are often managed through opaque defaults or layered middleware.

Astro HTTP gives you a single, explicit configuration file as the sole source of truth for which headers exist.

If a header is not enabled, it does not exist. If configuration fails, no headers are applied.

Design Principles

  • Fail-closed security model
  • Single source of truth configuration
  • Zero implicit defaults
  • No runtime mutation
  • Auditable, boring behaviour

What This Plugin Delivers

  • Declarative HTTP response header configuration
  • Explicit enable/disable per header
  • Security header enforcement
  • Cross-origin isolation controls
  • Cache and legacy header support
  • Custom header passthrough
  • Deep-frozen configuration
  • Fails closed on error

Installation

npm install astro-http

On first run, a default astro-http.config.js file is generated in the project root and never overwritten.

FAQs

Does Astro HTTP inject default headers?

No. Astro HTTP injects nothing by default. Only headers explicitly enabled in the config file are sent.

Does Astro HTTP mutate headers at runtime?

No. All headers are resolved once, frozen, and applied deterministically via Astro middleware.

What happens if the config fails to load?

The plugin fails closed. No headers are applied if the configuration cannot be safely loaded.

Implementation FAQs

How does Astro HTTP apply headers?

Headers are applied using Astro middleware based on a single configuration file loaded at startup.

Are any headers enabled by default?

No. Only headers explicitly enabled in the configuration file are sent.

Does Astro HTTP mutate headers after load?

No. Configuration values are deep-frozen and cannot be mutated at runtime.

What happens if configuration loading fails?

Astro HTTP fails closed. No headers are applied if safe loading cannot be guaranteed.

Can I define custom headers?

Yes. Custom headers are sent verbatim without validation or transformation.

Are cross-origin headers enabled by default?

No. Cross-origin headers are disabled by default and must be explicitly enabled.

View Full Plugin FAQ

Project Links

Source code, package distribution, releases, and documentation.

npm Package GitHub Repository

Need Implementation Details?

Read the FAQs for usage patterns, integration caveats, and rollout guidance.

View Plugin FAQs