HTTP Headers - Documentation

Link to this headingHeaders

Link to this headingContent-Security-Policy

Limits XSS by restricting loads

Example:

# Default to only allow content from the current site # Allow images from current site and imgur.com # Don't allow objects such as Flash and Java # Only allow scripts from the current site # Only allow styles from the current site # Only allow frames from the current site # Restrict URL's in the <base> tag to current site # Allow forms to submit only to the current site Content-Security-Policy: default-src 'self'; img-src 'self' https://i.imgur.com; object-src 'none'; script-src 'self'; style-src 'self'; frame-ancestors 'self'; base-uri 'self'; form-action 'self';

Report Only Example:

Content-Security-Policy-Report-Only: default-src https:; report-uri /csp-violation-report-endpoint/

Link to this headingStrict-Transport-Security

This site should only be accessed by HTTPS
includeSubDomains also enforces this on all subdomains
preload adds the domain to the browsers list of HTTPS only domains forever

Example:

Strict-Transport-Security: max-age=63072000; includeSubDomains; preload

Link to this headingX-Content-Type-Options

This header ensures that the MIME types set by the application are respected by browsers. This can help prevent certain types of cross site scripting bypasses.

It also reduces unexpected application behavior where a browser may “guess” some kind of content incorrectly, such as when a developer labels a page “HTML” but the browser thinks it looks like JavaScript and tries to render it as JavaScript. This header will ensure the browser always respects the MIME type set by the server.

Example:

X-Content-Type-Options: nosniff

Link to this headingCache Control Headers

Any page with sensitive data, such as a user page or a customer checkout page, should be set to no-cache. One reason for this is preventing someone on a shared computer from pressing the back button or going through history and being able to view personal information.

However, pages that change rarely, such as static assets (images, CSS files, and JS files), are good to cache. This could be done on a page by page basis, or using regex on the server configuration.

Link to this headingX-Frame-Options

This header indicates whether the site should be allowed to be displayed within an iFrame.

If a malicious site puts your website within an iFrame, the malicious site is able to perform a click jacking attack by running some JavaScript that will capture mouse clicks on the iFrame and then interact with the site on the users behalf (not necessarily clicking where they think they clicked!).

Example:

X-Frame-Options: deny X-Frame-Options: sameorigin

Link to this headingAccess-Control

Link to this headingAccess-Control-Allow-Credentials

Allows the browser to set cookies, authorization headers or TLS client certificates to send to the server in a Cross Origin Request
This information is gathered in the preflight request

Example:

Access-Control-Allow-Credentials: true

Link to this headingAccess-Control-Allow-Headers

Specifies which headers can be send in a Cross Origin Request
This information is gathered in the preflight request

Usage:

Access-Control-Allow-Headers: <header-name>[, <header-name>]* Access-Control-Allow-Headers: *

Link to this headingAccess-Control-Request-Headers

Specifies which headers the client might send the server in a Cross Origin Request
This information is gathered in the preflight request

Usage:

Access-Control-Allow-Headers: <header-name>[, <header-name>]* Access-Control-Allow-Headers: *

Link to this headingAccess-Control-Allow-Methods

Specifies what HTTP Verbs can be set in a Cross Origin Request
This information is gathered in the preflight request

Examples:

Access-Control-Allow-Methods: POST, GET, OPTIONS Access-Control-Allow-Methods: *

Link to this headingAccess-Control-Request-Method

Specifies what HTTP Verbs is sent with the Cross Origin Request
This information is gathered in the preflight request

Examples:

Access-Control-Request-Method: POST

Link to this headingAccess-Control-Allow-Origin

Specifies what origins can make Cross Origin Requests
This information is gathered in the preflight request

Example:

Access-Control-Allow-Origin: * Access-Control-Allow-Origin: <origin> Access-Control-Allow-Origin: null

NOTE: “null” may allow cross origin to “data:” and “file:” scheme

Link to this headingAccess-Control-Expose-Headers

Specifies what HTTP Response Headers can be viewed by javascript in a Cross Origin Request
This information is gathered in the preflight request

By default the headers below are accessible from a Cross Origin Response

Cache-Control
Content-Language
Content-Type
Expires
Last-Modified
Pragma

Example:

Access-Control-Expose-Headers: Content-Length, X-Kuma-Revision Access-Control-Expose-Headers: * Access-Control-Expose-Headers: *, Authorization

NOTE: Wildcard headers wont expose the Authorization header

Link to this headingAccess-Control-Max-Age

Specifies how long the HTTP Response can be cached for from a javascript in a Cross Origin Request
This information is gathered in the preflight request

Example:

Access-Control-Max-Age: 600

Link to this headingPublic-Key-Pins

Deprecated
Used to pin certificates to a website

Usage:

Public-Key-Pins: pin-sha256="base64=="; max-age=expireTime [; includeSubDomains][; report-uri="reportURI"] Public-Key-Pins-Report-Only: pin-sha256="<pin-value>"; max-age=<expire-time>; includeSubDomains; report-uri="<uri>"

Example:

Public-Key-Pins-Report-Only: pin-sha256="cUPcTAZWKaASuYWhhneDttWpY3oBAkE3h2+soZS7sWs="; pin-sha256="M8HztCzM3elUxkcjR2S5P4hhyBNf6lHkmjAHKhpGPWE="; includeSubDomains; report-uri="https://www.example.org/hpkp-report" Public-Key-Pins: pin-sha256="cUPcTAZWKaASuYWhhneDttWpY3oBAkE3h2+soZS7sWs=" pin-sha256="M8HztCzM3elUxkcjR2S5P4hhyBNf6lHkmjAHKhpGPWE="; max-age=5184000; includeSubDomains report-uri="https://www.example.org/hpkp-report"

Link to this headingExpect CT

Enforce flag makes it restrict HTTP instead of just reporintg

Usage:

Expect-CT: report-uri="<uri>", enforce, max-age=<age>

Example:

Expect-CT: max-age=86400, enforce, report-uri="https://foo.example/report"

Link to this headingCross-Origin-Resource-Policy

Response Header that specifies the origin policy of the website

Usage:

Cross-Origin-Resource-Policy: same-site | same-origin | cross-origin

Example:

Cross-Origin-Resource-Policy: same-origin

Link to this headingCross-Origin-Opener-Policy

Used to whitelist the postMessage messages that can be received by restricting the origins

Link to this headingCross-Origin-Embedder-Policy

Used to whitelist the postMessage messages that can be sent by restricting the origins

Link to this headingWant-Digest

The Client specifies to the server that it wants to send a Digest header with the response

Usage:

Want-Digest: <digest-algorithm>

Examples:

Want-Digest: sha-256 Want-Digest: SHA-512;q=0.3, sha-256;q=1, md5;q=0

Link to this headingDigest

Hash of the method body

Usage:

Digest: <digest-algorithm>=<digest-value> Digest: <digest-algorithm>=<digest-value>,<digest-algorithm>=<digest-value>

Examples:

Digest: sha-256=X48E9qOokqqrvdts8nOJRJN3OWDUoyWxBf7kbu9DBPE= Digest: sha-256=X48E9qOokqqrvdts8nOJRJN3OWDUoyWxBf7kbu9DBPE=,unixsum=30637

Link to this headingForwarded

Shows the Forward Proxy Information

Usage:

Forwarded: by=<identifier>;for=<identifier>;host=<host>;proto=<http|https>

Examples:

Forwarded: for="_mdn" Forwarded: For="[2001:db8:cafe::17]:4711" Forwarded: for=192.0.2.60;proto=http;by=203.0.113.43 Forwarded: for=192.0.2.43, for=198.51.100.17