List of HTTP security headers that secure your site

12/24/2018 security http-security-headers http-headers

There are a number of security headers that have been added to the HTTP specification that can provide defence-in-depth protection against certain vulnerabilities.

To keep your website secure, you can try adding below HTTP headers to your website which helps to prevent attacks against your website.

  • X-Frame-Options
  • X-XSS-Protection
  • X-Content-Type-Options
  • Content-Security-Policy
  • Expect-CT
  • Public-Key-Pins


Here are my definitions for each one of this.

X-Frame-Options: SAMEORIGIN  - Only renders iframes form the same origin.

X-Frame-Options: DENY - Don't render iframes at all

X-Frame-Options: allow-from - reneders iframes form only

X-XSS-Protection : 0 - Browser disables XSS filtering

X-XSS-Protection: 1 - Browser enables XSS filtering and sanitises the page if cross-site scripting has been detected. 

X-XSS-Protection : 1;mode=block - Browser enables XSS filtering and blocks the page

X-XSS-Protection: 1; report= - Browser enables XSS filtering, sanitise the page and report it to

X-Content-Type-Options: nosniff -It lets browsers know that not to sniff the content-types