Back to all posts

Native Support for Security Response Headers

Custom Security Headers (CSP, X-Frame-Options, etc.)

Problem:
Base44 does not support custom HTTP response headers. Because sites are hosted on Render, users cannot configure critical security headers and apex domains bypass tools like Cloudflare Workers. It currently lacks the ability to configure custom HTTP response headers (e.g., CSP, HSTS, X-Frame-Options). This is not a minor limitation; it is a critical blocker for enterprise, government and security-sensitive adoption.

Impact:

  • ❌ No Content-Security-Policy (CSP)

  • ❌ No clickjacking protection (X-Frame-Options)

  • ❌ Fails security scans (OWASP, audits)

  • ❌ Blocks compliance (ISO 27001…)

  • ❌ Not viable for secure/enterprise deployments

Request:
Add support for custom response headers via:

  • Simple UI (preferred), or

  • Config file (e.g. _headers, headers.json)

Why it matters:
Security headers are baseline, not optional. Competing platforms already support this; without it, Base44 can’t be used for production-grade secure apps.

Because response headers are controlled at the infrastructure level (via Render) and not exposed to users:

  • Apex domains cannot enforce security controls

  • External controls (e.g., Cloudflare Workers) are ineffective for primary domains

  • There is no supported workaround

This places Base44 at a disadvantage compared to modern platforms (e.g., Vercel, Netlify), where header control is standard.

Competitive Positioning Risk

Platforms like Vercel and Netlify already provide:

  • Header configuration via UI or config files

  • Fine-grained, route-level control

  • Seamless CDN integration

Base44, by comparison, is currently:

  • ❌ Not suitable for production-grade secure workloads

  • ❌ Excluded from enterprise evaluation pipelines

  • ❌ Perceived as lacking fundamental security controls

Without security headers:

  • Applications fail penetration testing and audits

  • Platforms are deemed non-compliant by default

  • Security teams block deployment entirely

This is not a “nice-to-have”; it is a procurement blocker.

Requested Capability

Introduce native support for custom HTTP response headers, including:

  • Content-Security-Policy (CSP)

  • Strict-Transport-Security (HSTS)

  • X-Frame-Options / frame-ancestors

  • X-Content-Type-Options, Referrer-Policy, Permissions-Policy

Please authenticate to join the conversation.

Upvoters
Status

In Review

Board
💡

Feature Request

Date

About 2 hours ago

Author

slaz

Subscribe to post

Get notified by email when there are changes.