List of HTTP security headers that secure your site

12/24/2018 security http-security-headers http-headers

There are a number of security headers that have been added to the HTTP specification that can provide defence-in-depth protection against certain vulnerabilities.

To keep your website secure, you can try adding below HTTP headers to your website which helps to prevent attacks against your website.

  • X-Frame-Options
  • X-XSS-Protection
  • X-Content-Type-Options
  • Content-Security-Policy
  • Expect-CT
  • Public-Key-Pins

 

Here are my definitions for each one of this.

X-Frame-Options: SAMEORIGIN  - Only renders iframes form the same origin.

X-Frame-Options: DENY - Don't render iframes at all

X-Frame-Options: allow-from https://yesno.wtf/ - reneders iframes form yesno.wtf only

X-XSS-Protection : 0 - Browser disables XSS filtering

X-XSS-Protection: 1 - Browser enables XSS filtering and sanitises the page if cross-site scripting has been detected. 

X-XSS-Protection : 1;mode=block - Browser enables XSS filtering and blocks the page

X-XSS-Protection: 1; report=https://yesno.wtf/ - Browser enables XSS filtering, sanitise the page and report it to yesno.wtf

X-Content-Type-Options: nosniff -It lets browsers know that not to sniff the content-types