Skip to content
HTTP Security Headers

HTTP Headers for Security

Published by lkagan on May 5, 2020

It happened again.  New PCI scan results came in and now you have to add some other HTTP header to your server responses.  If you’re like me, it’s difficult to remember what each header does and how to use it.  So here’s a brief summary of some common security-related HTTP headers.

X-Frame-Options

This header tells the browser whether this page is allowed to be embedded in a frame within another page.  SAMEORIGINmeans this page may be embedded within a page on the same site.

X-Frame-Options: DENY;
X-Frame-Options: SAMEORIGIN;

Details on X-Frame-Options can be found on MDN.

X-Frame-Options has been obsoleted by the Content-Security-Policy (CSP) header frame-ancestors directive.  The CSP equivalent to the above headers are:

Content-Security-Policy: frame-ancestors ‘none’;
Content-Security-Policy: frame-ancestors ‘self’;

You have more granular control using CSP.  You can take a deep dive into Content-Security-Policy here.

X-XSS-Protection

This header tells the browser how to behave if it detects a possible XSS attack. Should it do nothing, filter the code or block the entire page?  Support has pretty much been removed from all browsers.

X-XSS-Protection: 0;
X-XSS-Protection: 1; # Browser sanitizes the page
X-XSS-Protection: 1; mode=block # Browser won't render the page

More details can be found on MDN

X-Content-Type-Options

This header tells the browser to only use the content type provided by the server, don’t try to guess the content type and possibly handle it incorrectly.

X-Content-Type-Options: nosniff;

More details on X-Content-Type-Options can be found here.

Strict-Transport-Security header

Also known as HSTS (HTTP Strict-Transport-Security).  This tells clients to always use the HTTPS version of the site.  The expire-time represents the time in seconds that the browser should remember to access the site via HTTPS only.

Strict-Transport-Security: max-age=<expire-time>;
Strict-Transport-Security: max-age=<expire-time>; includeSubDomains

Find more details on HSTS on MDN.

I hope you find this short article helpful.   Have a suggestion to make this article better?  Let me know in a comment below.

Facebooktwitterredditlinkedin

Published inWeb Development

Be First to Comment

    Leave a Reply

    Your email address will not be published. Required fields are marked *