Skip to main content

HTTP Security Headers Best Practices

By Travelers
1 minute

HTTP security headers establish rules for browsers that are connecting to a web page. Maintaining best practices for HTTP security headers provides a more secure browsing experience for users and your website.

Modification to these headers could impact the functionality of your website. Ensure that all changes are tested before moving to production. While many headers have straight forward recommended values, there are several (Content-Security-Policy and Feature-Policy) that are configured specific to your website.

HTTP security header Description Recommended value
Content-Security-Policy Restricts loading of resources (e.g. JavaScript) from untrusted sources. This control helps defend against some web based attacks.

Example value (note this must be customized to what scripts sources will be allowed to run on your website):

default-src 'self' allowedsite1.com allowedsite2.com allowedsite3.com;

Information on additional configuration options is available here.

X-Permitted-Cross-Domain-Policies Restricts the loading of resources from other domains different from your website. none
Clear-Site-Data Clears browsing data. "cache","cookies","storage"
Cross-Origin-Embedder-Policy Prevents some web-based attacks. require-corp
Cross-Origin-Opener-Policy Prevents some web-based attacks. same-origin
Cross-Origin-Resource-Policy Prevents some web-based attacks. same-origin
Cache-Control Prevents information disclosure through browser cache. no-store, max-age=0
Strict-Transport-Security Enforce connections over encrypted channels. max-age=31536000 ; includeSubDomains
X-Frame-Options Prevents some web-based attacks. deny
Expect-CT Improves likelihood of trusted connections.

Note that this security header was deprecated in June 2021 and is being phased out. The following is an example configuration that could be used (be sure to modify the report-uri):

Expect-CT: max-age=86400, enforce, report-uri="https://foo.example/report"

X-Content-Type-Options Prevents some web-based attacks. nosniff
Feature-Policy
Details what features (e.g. webcam / microphone) should be enabled or disabled for a website.

Note that this security header is in the process of being deprecated and will be split into Permissions-Policy and Document-Policy. Refer to his link for features that are present in your website and explicitly allow them. Alternatively, select features that should not be allowed.

Feature-Policy: <feature> <allow list origin(s)>

Referrer-Policy
Omits referrer information being sent in HTTP requests. This will prevent websites from seeing that users visited them from your website.
no-referrer

Sources

https://owasp.org/www-project-secure-headers/#

https://content-security-policy.com/

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy

Related articles