HTTP - Security Headers
Table of Contents
About
In HTTP, the security is done via the setting of response header known as security header. They drives the execution of the browser page load
Header
response HTTP header that control the browser and have an effect on security:
- Content-Security-Policy (CSP): to prevent cross-site scripting (XSS), clickjacking and other code injection attacks resulting from execution of malicious content in the trusted web page context
- X-Frame-Options: No frame to avoid clickjacking
- Strict-Transport-Security: HTTP - Strict Transport Security (HSTS) - mandatory HTTPS: uses only https
- X-Content-Type-Options: Stops the browser from trying to MIME-sniff the content type and forces it to stick with the declared content-type
X-Content-Type-Options: nosniff
- Referrer-Policy: HTTP - Referrer-Policy Header (to not leak private url)
- Permissions-Policy: This header allows you to control which features and APIs can be used in the browser. It was previously named Feature-Policy. You can view the full list of permission options here.
Permissions-Policy: camera=(), microphone=(), geolocation=(), interest-cohort=()