Are the following headers outside the domain of deis-router?

For stronger security, the "X-Frame-Options: SAMEORIGIN | DENY | ALLOW-FROM uri;" header can be used to prevent clickjacking.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options?redirectlocale=en-US&redirectslug=The_X-FRAME-OPTIONS_response_header

The "X-Content-Type-Options: nosniff;" header seems to be recommended for security, also:

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options

I got these ideas by reading this, which seems reliable: https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html

Those are both response headers. As long as your applications sets them, they will be included in the response from the router.

Thanks @krancour! I didn't even think to check header type - I saw it's an nginx setting, so I presumed it's only capable by nginx. :)