aixlabDocs
GitHub Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage
  1. aixlabDocs
  2. /
  3. Implementation Rules
  4. /
  5. Security Rules
  6. /
  7. Application Security
  8. /
  9. HTTP Securty Headers

HTTP Securty Headers

2 minutes to read

When browsers requests a page from a web server, the web server responds by serving the page and also sends an HTTP response header with the content. In addition to metadata such as character sets and error codes, security-related settings can also be sent. These tells the browser how to behave.

Websites can be checked for security headers here.

Additional Security Headers

Field name Description Example Status Standard
X-Content-Type-Options The only defined value, “nosniff”, prevents Internet Explorer from MIME-sniffing a response away from the declared content-type. This also applies to Google Chrome, when downloading extensions. X-Content-Type-Options: nosniff`
X-Frame-Options Clickjacking protection: deny - no rendering within a frame, sameorigin - no rendering if origin mismatch, allow-from - allow from specified location, allowall - non-standard, allow from any location X-Frame-Options: deny Obsolete rfc7034
X-XSS-Protection Cross-site scripting (XSS) filter X-XSS-Protection: 1; mode=block Obsolete

Proposal for HTTP Secure headers 

# When using in cloudflare the parameters is set for the whole zone by cloudflare configuration
Strict-Transport-Security: Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Content-Security-Policy: default-src 'self';
Access-Control-Allow-Origin : https://www.example.de
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Permissions-Policy: accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), geolocation=(), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=(), clipboard-read=(), clipboard-write=(), gamepad=(), speaker-selection=(), conversion-measurement=(), focus-without-user-activation=(), hid=(), idle-detection=(), interest-cohort=(), serial=(), sync-script=(), trust-token-redemption=(), window-placement=(), vertical-scroll=()