Custom headers are HTTP response headers sent from the server to the browser when someone visits your site. They control how browsers interact with your website, including security policies and cross-origin resource sharing. Common use cases are headers like X-Frame-Options to prevent clickjacking attacks, Content Security Policies to protect against XSS attacks.
Custom headers are part of Advanced Hosting, available as an add-on on Pro, Scale, and Enterprise plans.
On the Framer dashboard, select your domain in the sidebar, and navigate to the Headers tab.
Click the Plus icon on the right
Define the path where the header should apply (e.g., /, /blog/*, /login)
Select the header name (e.g., X-Frame-Options)
Enter the header value (e.g., DENY, SAMEORIGIN)
Click on Add to save your header
Open your project and re-publish
There is a allowlist of supported headers in the UI. The list focuses on headers that are commonly useful and safe to expose, such as security policies and reporting endpoints.
If you need a header that is not listed, you can request it and it can be added to the whitelist, as was done for reporting endpoints.
The Custom Headers UI currently supports the following response headers:
Permissions-Policy
Referrer-Policy
Strict-Transport-Security
X-Frame-Options
Content-Security-Policy
Content-Security-Policy-Report-Only
Cross-Origin-Embedder-Policy
Cross-Origin-Opener-Policy
Cross-Origin-Resource-Policy
Feature-Policy
Reporting-Endpoints
Server
X-Content-Type-Options
X-Robots-Tag
X-XSS-Protection
Some entries require upgrading; the dashboard will indicate this with an upgrade badge next to the header name.
Custom Headers support flexible path matching:
/ applies to the homepage only
/page applies to the exact path
/page/* applies to all pages under /page
/* applies to all pages on your site
You can reorder your custom headers by dragging them in the list. The order determines which header takes precedence when multiple rules match the same path.
Framer automatically sets certain default headers for all sites. You can view these in the Headers tab under the "Default" section. Custom headers you add will supplement or override these defaults where applicable.
The most relevant security defaults are:
Strict-Transport-Security: max-age=31536000 — enforces HTTPS for one year. You can override this with a custom Strict-Transport-Security rule, for example to extend the max-age, add includeSubDomains, or change the preload behavior.
X-Content-Type-Options: nosniff — prevents the browser from MIME-sniffing responses.
Locale expansion is an option that automatically prefixes your path with all enabled locale codes (for example /nl, /de) at publish time so one rule can match every locale.
Note: Automatic Locale expansion only prefixes the path with the country code. It doesn't support localized paths and slugs. If your rule explicitly references a path that is localized, you have to manually add one additional rule for each locale.
Header: X-Frame-Options
Value: DENY
Path: /*
This prevents your site from being embedded in iframes on other domains.
Header: X-Frame-Options
Value: SAMEORIGIN
Path: /*
This allows your site to be embedded in iframes, but only on your own domain.
When you use custom headers alongside Multi Site rewrites, you configure headers on your main project (the one with the custom domain). You can set headers for any path on your domain, including paths that are rewritten to other locations.
Important: Only custom headers set on your main project are applied to responses. If a path is rewritten to another Framer project or external origin, any custom headers configured on those target projects are not forwarded.
Let's say you have:
Project A with domain example.com (your main project)
Project B with domain blog-project.com
A rewrite rule on Project A: /blog/:slug → blog-project.com/blog/:slug
When a visitor accesses example.com/blog/post:
Custom headers you set on Project A for /blog/* will be applied
Custom headers set on Project B will NOT be forwarded
This applies to both Framer project rewrites and external origin rewrites. Always configure your Custom Headers on the main project where your domain is connected.