# Web Security

## Access Control Allow Origins

`--access-control-allow-origins`

Type: String\[]

Default: \["\*"]

Accepts a comma-separated lists of origin domains that will be allowed as the Access-Control-Allow-Origin HTTP header. Defaults to \* if not set which allows all origin domains.

## Secure Header Development

`--secure-header-development`

Type: Boolean

Default: true

If set, runs our secure header middleware in development mode, which disables some of the options. The default is true to make it easy to run a node locally. See <https://github.com/unrolled/secure> for more info.

## Secure Header Allow Hosts

`--secure-header-allow-hosts`

Type: String\[]

Default: \[],

This is the domain that our secure middleware will accept requests from. We also set the HTTP Access-Control-Allow-Origin

##