[Bug]: HTTP Response Headers not applying Globally using Caddy Proxy Dynamic Config

[sibowilldo]

Error Message and Logs

I am attempting to apply HSTS, X-Content-Type-Options and other security header responses using Servers > Proxy > Dynamic Configurations > +Add.

The snippet is as below, copied from Caddy docs

:443 {
    header {
        # disable FLoC tracking
        Permissions-Policy interest-cohort=()

        # enable HSTS
        Strict-Transport-Security max-age=31536000;

        # disable clients from sniffing the media type
        X-Content-Type-Options nosniff

        # clickjacking protection
        X-Frame-Options DENY
    }
}

These unfortunately do not reflect on the websites deployed on this server.

➜ curl -I https://domain
  
HTTP/2 200 
alt-svc: h3=":443"; ma=2592000
content-type: text/html; charset=UTF-8
date: Fri, 05 Dec 2025 12:12:30 GMT
link: <https://domain/wp-json/>; rel="https://api.w.org/"
link: <https://domain/wp-json/wp/v2/pages/1105>; rel="alternate"; title="JSON"; type="application/json"
link: <https://domain/>; rel=shortlink
x-powered-by: PHP/8.3.28
x-tec-api-origin: https://domain
x-tec-api-root: https://domain/wp-json/tribe/events/v1/
x-tec-api-version: v1

Steps to Reproduce

1. Using Coolify v4.0.0-beta.452, with Caddy2 as Proxy
2. Navigate to Servers > Proxy Tab > Dynamic Configuration sub section > Add Dynamic Configuration
3. Restart Proxy
4. Restart Application/s

Example Repository URL

No response

Coolify Version

v4.0.0-beta.452

Are you using Coolify Cloud?

No (self-hosted)

Operating System and Version (self-hosted)

Ubuntu 24.04

Additional Information

No response

[coderabbitai]

📝 CodeRabbit Plan Mode

Generate an implementation plan and agent prompts for this issue.

• Create Plan

Examples

• Example 1
• Example 2

🔗 Similar & Duplicate Issues

Possible Duplicates

• ISSUE-5640

Related Issues

• coollabsio/coolify#5640
• coollabsio/coolify#5954
• coollabsio/coolify#7193
• coollabsio/coolify#5814
• coollabsio/coolify#6279

👤 Suggested Assignees

• LaurenceJJones
• Zyles
• NoorChasib
• david-forer
• nicitaacom

---

🧪 Issue enrichment is currently in early access.

To disable automatic issue enrichment, add the following to your .coderabbit.yaml:

issue_enrichment:
  auto_enrich:
    enabled: false

[sibowilldo]

The only configuration it has accepted so far is this one below, however it defeats the purpose, as the intention is to automatically apply the response headers to all applications that use the proxy

domain {
    header {
        Strict-Transport-Security max-age=31536000;
        ...
    }
}

[djsisson]

lucaslorentz/caddy-docker-proxy creates blocks for each set of labels it finds, and then caddy will use the most specific block, so it will only use the domain blocks and not the general :443 block as thats just a catch all

which is why you see it working on your domain, afaik there is no global headers options, you can maybe create a snippet and then add the import label on each container you want those headers

[Cinzya]

I am going to move this into the discussions, as it is not a bug but just not the correct configuration. Someone from the community can maybe give you a hint, or maybe you find a way to implement djsissons suggestions and then can share it for others.