It happened again. New PCI scan results came in and now you have to add some other HTTP header to your server responses. If you’re like me, it’s difficult to remember what each header does and how to use it. So here’s a brief summary of some common security-related HTTP headers.
This header tells the browser whether this page is allowed to be embedded in a frame within another page.
SAMEORIGINmeans this page may be embedded within a page on the same site.
X-Frame-Options: DENY; X-Frame-Options: SAMEORIGIN;
X-Frame-Options can be found on MDN.
X-Frame-Options has been obsoleted by the
Content-Security-Policy (CSP) header
frame-ancestors directive. The CSP equivalent to the above headers are:
Content-Security-Policy: frame-ancestors ‘none’; Content-Security-Policy: frame-ancestors ‘self’;
You have more granular control using CSP. You can take a deep dive into
This header tells the browser how to behave if it detects a possible XSS attack. Should it do nothing, filter the code or block the entire page? Support has pretty much been removed from all browsers.
X-XSS-Protection: 0; X-XSS-Protection: 1; # Browser sanitizes the page X-XSS-Protection: 1; mode=block # Browser won't render the page
More details can be found on MDN
This header tells the browser to only use the content type provided by the server, don’t try to guess the content type and possibly handle it incorrectly.
More details on
X-Content-Type-Options can be found here.
Also known as HSTS (HTTP Strict-Transport-Security). This tells clients to always use the HTTPS version of the site. The
expire-time represents the time in seconds that the browser should remember to access the site via HTTPS only.
Strict-Transport-Security: max-age=<expire-time>; Strict-Transport-Security: max-age=<expire-time>; includeSubDomains
Find more details on HSTS on MDN.
I hope you find this short article helpful. Have a suggestion to make this article better? Let me know in a comment below.