Support for Adding Custom HTTP Response Headers (HSTS) in Janus WebRTC Server

Rohit · March 11, 2026, 10:59am

We have Janus WebRTC Server deployed behind HTTPS and performing a security assessment from the security team.

During the vulnerability scan, the following issue was identified:

HSTS Missing From HTTPS Server (RFC 6797)

The scan indicates that the server does not return the Strict-Transport-Security header in HTTPS responses, which is recommended by RFC 6797 to enforce secure connections and prevent protocol downgrade attacks.

Example header expected:

Strict-Transport-Security: max-age=31536000; includeSubDomains

From my review of the configuration and documentation, it appears that Janus currently does not provide a built-in mechanism to add custom HTTP response headers to responses generated by the internal web server.

Because of this limitation, it is difficult to implement HSTS compliance directly within Janus, which may cause security scanners to flag the service.

Questions

Is there any supported way to add custom HTTP headers (such as Strict-Transport-Security) in the built-in Janus HTTP/HTTPS server?
If not, is this feature planned for future releases?
Is the recommended approach to place Janus behind a reverse proxy (e.g., Nginx/Apache) and add the HSTS header there?

Any guidance from the community or maintainers would be appreciated.

lorenzo · March 13, 2026, 2:26am

This was brought up by someone else already. As we told them, we’re not planning to do that, for a few different reasons:

We don’t recommend enabling the HTTPS support in the Janus HTTP plugin itself. You should just keep HTTP there, and delegate HTTPS support to a proxy instead (see docs). This keeps Janus lighter, and ensures you leave HTTPS and HTTP stuff to a component that’s much better equipped than our tiny integrated web server.
Anything we add to the HTTP plugin should be added to the WebTransport plugin for the same reason. While I think tinkering with headers should be relatively easy with libmicrohttpd, I think it’s harder in libwebsockets. But again, we always recommend proxying the WebSocket API too, so that HTTPS termination is left to more robust components (like nginx or httpd).

Topic		Replies	Views
RTSP to WebRTC streaming in IP cameras General	1	997	August 29, 2023
Enable DTLS-SRTP in janus-gateway server with sip plugin General sip	2	83	March 3, 2025
In response to a 'secure' offerless SIP Invite, the Janus WebRTC server is missing SDES in the offer SIP 200OK with SDP General sip	3	50	January 23, 2026
How ou where to get these followings Janus Server's parameters required by my Web App? General	0	141	May 12, 2023
How to fix these Warnings that appear after installing Janus WebRTC and Redis on Ubuntu 20.04 LTS? General	4	163	May 2, 2023

Support for Adding Custom HTTP Response Headers (HSTS) in Janus WebRTC Server

Questions

Related topics