pub fn security_headers(cfg: &HeadersCfg) -> Vec<(&'static str, String)>Expand description
The constant security response headers EdgeGuard injects, derived from the [headers]
policy. This is the single source of truth shared by the live response-hardening path
([harden_response]) and the static-host config generator (crate::generate), so a
generated _headers file / edge-middleware snippet matches exactly what the proxy would add
at runtime. Returns (name, value) pairs with canonically-cased names (for readable
generated output); the proxy normalizes the case when it inserts them.
Cookie hardening and leaky-header stripping are deliberately not here: both rewrite the
upstream’s actual response (Set-Cookie, Server/X-Powered-By), which a static file that
can only “always add this header” cannot express. The generator documents that gap; the
WASM worker, which sees the real response, applies them too.