Skip to main content
HTTP Security Headers

HTTP Security Headers

The best website makes the secure https connection even more secure with HTTP security headers. Does your site use HTTP security headers for extra security? Does your site use HTTP security headers to communicate to the visitor's browser what security measures are in place?

HTTP security headers

The visitor views your website via a browser. Your web server communicates HTML pages to the browser. Your web server or web site may also include HTTP security headers to inform the browser about HTTP Security. What can a browser expect from the website and server? 

Test the HTTP Security Headers that are sent through the HTTP response headers of your web site via Security Headers. There are several security measures that can be enforced through HTTP Security Headers: 

X Content Type Options

A browser can interpret the file type of a file based on its content. With "X-Content-Type-Options: nosniff", the server enforces that the browser does not determine the type of content itself via MIME. This prevents text files and images from being executed as HTML/JavaScript.

X-Content-Type-Options: nosniff

Referrer Policy

If a visitor on your site clicks on a hyperlink to another site, the browser uses the referrer in the HTTP header to communicate with the new site you come from. A web site can then use the web server to see statistics about where their visitors are coming from. If your website is running https and the link refers to an http website, this is a "downgrade" of the connection for the visitor. To protect the privacy of your visitors, you can disable the referrer.

Referrer Policy: no-referrer-when-downgrade

Feature Policy  

Feature Policy has been replaced by Permissions Policy

Permissions Policy

With the Permissions-Policy you decide which browser functions and APIs you want to enable or disable. You will be familiar with pop-ups from websites that ask for your location. You can have your website communicate to the visitor's browser that, for example, you are not asking for a location (geolocation).

  • geolocation
  • midi
  • notifications
  • push
  • sync-xhr
  • microphone
  • camera
  • magnetometer
  • gyroscope
  • speaker
  • vibrate
  • fullscreen
  • payment

permissions-policy: camera=(); geolocation=(); microphone=(); payment=();

Content Security Policy (CSP)

The Content Security Policy defines from which approved sources the visitor's browser is allowed to load files (CSS stylesheets, JavaScript libraries, fonts). Think for example of external Google fonts, JQuery JavaScripts etc.

You can choose to place all external sources on your own site, or arrange through the CSP which external sources you accept. It is an effective countermeasure against Cross Site Scripting (XSS) attacks.

content-security-policy: frame-ancestors 'self'

HTTP Strict Transport Security (HSTS)

HTTP Strict Transport Security enforces that all communication between the visitor and your website takes place over a secure transport layer (https). This prevents a man-in-the-middle (MiTM) attack. Via HSTS your website communicates to the browser that your website will work via https in the next x days.

strict-transport-security: max-age=15768000

X Frame Options

With the X-Frame-Options header you protect your visitors against clickjacking attacks. In case of a clickjack attack, an attacker can steal some CSS information from your web browser via an iframe. This can be prevented by defining x-frame-options. But you can also control this via the "frame-ancestors" in Content Security Policy.

x-frame-options: SAMEORIGIN 

Back to: A secure website

HTTP Security Headers

Are you using HTTP Security Headers to make your website even more secure?

* according to Peter Martin

© 2023 by All rights reserved.