What are headers?
HTTP headers are name or value pairs that are displayed in the request and response messages within the message header for HTTP. These Headers can be to inform the browser of the data it is receiving such as a PNG or HTML content. Headers can also be sent to increase the security and privacy for your website visitors.

Security Headers

  1. Strict-Transport-Security: This enforces the User-Agent to use HTTPS.
    Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
    Mozilla Docs

  2. X-Frame-Options: Tells the browser if you want to allow your site to be framed or not. This can help protect against attacks such as clickjacking.
    X-Frame-Options: SAMEORIGIN
    Mozilla Docs

  3. X-Content-Type-Options: Stops the browser from trying to MIME-sniff the content type and stick with the declared Content-Type header.
    X-Content-Type-Options: nosniff
    Mozilla Docs

  4. Referrer-Policy: Allows the site to control how much info the browser includes when navigating to a new site.
    Referrer-Policy: no-referrer
    Mozilla Docs

  5. Permissions-Policy: Allows the site to control which features and API's can be used within the browser.
    Mozilla Docs

  6. X-XSS-Protection: Used to configure the XSS Auditor in older browsers. Content-Secuirty-Policy had now replaced this.
    X-XSS-Protection: 1; mode=block
    Mozilla Docs

  7. Content-Security-Policy: This is an effective measure against XSS attacks. it works by whitelisting approved content preventing malicious content being loaded.
    Content-Security-Policy: default-src https:
    Mozilla Docs

  8. expect-ct: Allows the site to determine if they are ready for the upcoming Chrome requirements of Certificate Transparency.
    expect-ct: max-age=86400, enforce
    Mozilla Docs

More information can be found at https://securityheaders.com along with a Header Scanner.


Cover Image Credit: https://unsplash.com/@fantasyflip