HTTP Headers are a great booster for web security with easy implementation. Proper HTTP response headers can help prevent security vulnerabilities like Cross-Site Scripting, Clickjacking, Information disclosure and more.
In this cheat sheet, we will review all security-related HTTP headers, recommended configurations, and reference other sources for complicated headers.
The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe>, <embed> or <object>. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.
Content Security Policy (CSP) frame-ancestors directive obsoletes X-Frame-Options for supporting browsers (source).
X-Frame-Options header is only useful when the HTTP response where it is included has something to interact with (e.g. links, buttons). If the HTTP response is a redirect or an API returning JSON data, X-Frame-Options does not provide any security.
Use Content Security Policy (CSP) frame-ancestors directive if possible.
Do not allow displaying of the page in a frame.
X-Frame-Options: DENY
The HTTP X-XSS-Protection response header is a feature of Internet Explorer, Chrome, and Safari that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks.
WARNING: Even though this header can protect users of older web browsers that don't yet support CSP, in some cases, this header can create XSS vulnerabilities in otherwise safe websites source.
Use a Content Security Policy (CSP) that disables the use of inline JavaScript.
Do not set this header or explicitly turn it off.
X-XSS-Protection: 0
Please see Mozilla X-XSS-Protection for details.
The X-Content-Type-Options response HTTP header is used by the server to indicate to the browsers that the MIME types advertised in the Content-Type headers should be followed and not guessed.
This header is used to block browsers' MIME type sniffing, which can transform non-executable MIME types into executable MIME types (MIME Confusion Attacks).
Set the Content-Type header correctly throughout the site.
X-Content-Type-Options: nosniff
The Referrer-Policy HTTP header controls how much referrer information (sent via the Referer header) should be included with requests.
Referrer policy has been supported by browsers since 2014. Today, the default behavior in modern browsers is to no longer send all referrer information (origin, path, and query string) to the same site but to only send the origin to other sites. However, since not all users may be using the latest browsers we suggest forcing this behavior by sending this header on all responses.
Referrer-Policy: strict-origin-when-cross-origin
- NOTE: For more information on configuring this header please see Mozilla Referrer-Policy.
The Content-Type representation header is used to indicate the original media type of the resource (before any content encoding is applied for sending). If not set correctly, the resource (e.g. an image) may be interpreted as HTML, making XSS vulnerabilities possible.
Although it is recommended to always set the Content-Type header correctly, it would constitute a vulnerability only if the content is intended to be rendered by the client and the resource is untrusted (provided or modified by a user).
Content-Type: text/html; charset=UTF-8
- NOTE: the
charsetattribute is necessary to prevent XSS in HTML pages - NOTE: the
text/htmlcan be any of the possible MIME types
The Set-Cookie HTTP response header is used to send a cookie from the server to the user agent, so the user agent can send it back to the server later. To send multiple cookies, multiple Set-Cookie headers should be sent in the same response.
This is not a security header per se, but its security attributes are crucial.
- Please read Session Management Cheat Sheet for a detailed explanation on cookie configuration options.
The HTTP Strict-Transport-Security response header (often abbreviated as HSTS) lets a website tell browsers that it should only be accessed using HTTPS, instead of using HTTP.
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
- NOTE: Read carefully how this header works before using it. If the HSTS header is misconfigured or if there is a problem with the SSL/TLS certificate being used, legitimate users might be unable to access the website. For example, if the HSTS header is set to a very long duration and the SSL/TLS certificate expires or is revoked, legitimate users might be unable to access the website until the HSTS header duration has expired.
Please checkout HTTP Strict Transport Security Cheat Sheet for more information.
The Expect-CT header lets sites opt-in to reporting of Certificate Transparency (CT) requirements. Given that mainstream clients now require CT qualification, the only remaining value is reporting such occurrences to the nominated report-uri value in the header. The header is now less about enforcement and more about detection/reporting.
Do not use it. Mozilla recommends avoiding it, and removing it from existing code if possible.
Content Security Policy (CSP) is a security feature that is used to specify the origin of content that is allowed to be loaded on a website or in a web applications. It is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement to distribution of malware.
- NOTE: This header is relevant to be applied in pages which can load and interpret scripts and code, but might be meaningless in the response of a REST API that returns content that is not going to be rendered.
Content Security Policy is complex to configure and maintain. For an explanation on customization options, please read Content Security Policy Cheat Sheet
If you don't use this header, your site is protected by default by the Same Origin Policy (SOP). What this header does is relax this control in specified circumstances.
The Access-Control-Allow-Origin is a CORS (cross-origin resource sharing) header. This header indicates whether the response it is related to can be shared with requesting code from the given origin. In other words, if siteA requests a resource from siteB, siteB should indicate in its Access-Control-Allow-Origin header that siteA is allowed to fetch that resource, if not, the access is blocked due to Same Origin Policy (SOP).
If you use it, set specific origins instead of *. Checkout Access-Control-Allow-Origin for details.
Access-Control-Allow-Origin: https://yoursite.com
- NOTE: The use of '*' might be necessary depending on your needs. For example, for a public API that should be accessible from any origin, it might be necessary to allow '*'.
The HTTP Cross-Origin-Opener-Policy (COOP) response header allows you to ensure a top-level document does not share a browsing context group with cross-origin documents.
This header works together with Cross-Origin-Embedder-Policy (COEP) and Cross-Origin-Resource-Policy (CORP) explained below.
This mechanism protects against attacks like Spectre which can cross the security boundary established by Same Origin Policy (SOP) for resources in the same browsing context group.
As this headers are very related to browsers, it may not make sense to be applied to REST APIs or clients that are not browsers.
Isolates the browsing context exclusively to same-origin documents.
HTTP Cross-Origin-Opener-Policy: same-origin
The HTTP Cross-Origin-Embedder-Policy (COEP) response header prevents a document from loading any cross-origin resources that don't explicitly grant the document permission (using CORP or CORS).
- NOTE: Enabling this will block cross-origin resources not configured correctly from loading.
A document can only load resources from the same origin, or resources explicitly marked as loadable from another origin.
Cross-Origin-Embedder-Policy: require-corp
- NOTE: you can bypass it for specific resources by adding the
crossoriginattribute: <img src="https://thirdparty.com/img.png" crossorigin>
The Cross-Origin-Resource-Policy (CORP) header allows you to control the set of origins that are empowered to include a resource. It is a robust defense against attacks like Spectre, as it allows browsers to block a given response before it enters an attacker's process.
Limit current resource loading to the site and sub-domains only.
Cross-Origin-Resource-Policy: same-site
Permissions-Policy allows you to control which origins can use which browser features, both in the top-level page and in embedded frames. For every feature controlled by Feature Policy, the feature is only enabled in the current document or frame if its origin matches the allowed list of origins. This means that you can configure your site to never allow the camera or microphone to be activated. This prevents that an injection, for example an XSS, enables the camera, the microphone, or other browser feature.
More information: Permissions-Policy
Set it and disable all the features that your site does not need or allow them only to the authorized domains:
Permissions-Policy: geolocation=(), camera=(), microphone=()
- NOTE: This example is disabling geolocation, camera, and microphone for all domains.
FLoC is a method proposed by Google in 2021 to deliver interest-based advertisements to groups of users ("cohorts"). The Electronic Frontier Foundation, Mozilla, and others believe FLoC does not do enough to protect users' privacy.
A site can declare that it does not want to be included in the user's list of sites for cohort calculation by sending this HTTP header.
Permissions-Policy: interest-cohort=()
The Server header describes the software used by the origin server that handled the request — that is, the server that generated the response.
This is not a security header, but how it is used is relevant for security.
Remove this header or set non-informative values.
Server: webserver
- NOTE: Remember that attackers have other means of fingerprinting the server technology.
The X-Powered-By header describes the technologies used by the webserver. This information exposes the server to attackers. Using the information in this header, attackers can find vulnerabilities easier.
Remove all X-Powered-By headers.
- NOTE: Remember that attackers have other means of fingerprinting your tech stack.
Provides information about the .NET version.
Disable sending this header. Add the following line in your web.config in the <system.web> section to remove it.
<httpRuntime enableVersionHeader="false" />- NOTE: Remember that attackers have other means of fingerprinting your tech stack.
Provides information about the .NET version.
Disable sending this header. To remove the X-AspNetMvc-Version header, add the below line in Global.asax file.
MvcHandler.DisableMvcResponseHeader = true;
- NOTE: Remember that attackers have other means of fingerprinting your tech stack.
The X-DNS-Prefetch-Control HTTP response header controls DNS prefetching, a feature by which browsers proactively perform domain name resolution on both links that the user may choose to follow as well as URLs for items referenced by the document, including images, CSS, JavaScript, and so forth.
The default behavior of browsers is to perform DNS caching which is good for most websites.
If you do not control links on your website, you might want to set off as a value to disable DNS prefetch to avoid leaking information to those domains.
X-DNS-Prefetch-Control: off
- NOTE: Do not rely in this functionality for anything production sensitive: it is not standard or fully supported and implementation may vary among browsers.
The HTTP Public-Key-Pins response header is used to associate a specific cryptographic public key with a certain web server to decrease the risk of MITM attacks with forged certificates.
This header is deprecated and should not be used anymore.
The sample code below sets the X-Frame-Options header in PHP.
header("X-Frame-Options: DENY");Below is an .htaccess sample configuration which sets the X-Frame-Options header in Apache. Note that without the always option, the header will only be sent for certain status codes, as described in the Apache documentation.
<IfModule mod_headers.c>
Header always set X-Frame-Options "DENY"
</IfModule>
Add configurations below to your Web.config in IIS to send the X-Frame-Options header.
<system.webServer>
...
<httpProtocol>
<customHeaders>
<add name="X-Frame-Options" value="DENY" />
</customHeaders>
</httpProtocol>
...
</system.webServer>Add the line below to your front-end, listen, or backend configurations to send the X-Frame-Options header.
http-response set-header X-Frame-Options DENY
Below is a sample configuration, it sets the X-Frame-Options header in Nginx. Note that without the always option, the header will only be sent for certain status codes, as described in the nginx documentation.
add_header "X-Frame-Options" "DENY" always;
You can use helmet to setup HTTP headers in Express. The code below is sample for adding the X-Frame-Options header.
const helmet = require('helmet');
const app = express();
// Sets "X-Frame-Options: SAMEORIGIN"
app.use(
helmet.frameguard({
action: "sameorigin",
})
);The Mozilla Observatory is an online tool which helps you to check your website's header status.
SmartScanner has a dedicated test profile for testing security of HTTP headers. Online tools usually test the homepage of the given address. But SmartScanner scans the whole website. So, you can make sure all of your web pages have the right HTTP Headers in place.
- Mozilla: X-Frame-Options
- Mozilla: X-XSS-Protection
- hstspreload.org
- Mozilla: Strict-Transport-Security
- Mozilla: Content-Type
- Mozilla: Expect-CT
- Mozilla: Set-Cookie
- content-security-policy.com
- Mozilla: Cross-Origin-Opener-Policy
- resourcepolicy.fyi
- Mozilla: Cross-Origin-Resource-Policy
- Mozilla: Cross-Origin-Embedder-Policy
- Mozilla: Server Header
- Linked OWASP project: Secure Headers Project