2.15.6. Security headers

Available on our website tool, that you can use to validate the security headers returned by the site. Such headers have a great impact on the security of both the site itself and its visitors, so we recommend add such titles on their sites.

Attention!

  • This article provides brief descriptions of headers and their possible meanings. Full details can be found in the relevant documentation.
  • Some values may contain insertions, instead of which you need to substitute your data, for example, instead of <url> you should indicate the address of your site in the form example.com.
  • Required values or data are in bold.

Most popular titles:

heading Valid values Description
Important headings
Strict-Transport-Security (HSTS) Time in seconds Allows you to configure only a secure connection to the site via HTTPS. You can add this title in site settings
X-Frame-Options DENY, SAMEORIGIN, ALLOW-FROM <url> Allows or denies displaying the page as (i)frame, embed, object
X-Content-Type-Options nosniff Blocking requests to files if their type does not match the data type specified in the header Content-type
Content-Security-Policy default-src, <directives>, <values> Security policy that provides the ability to restrict or, on the contrary, allow the loading of data from certain sources. Due to the large list of available values in the data, a link to the documentation is provided
Referrer-Policy no-referrer, no-referrer-when-downgrade, origin, origin-when-cross-origin, same-origin, strict-origin, strict-origin-when-cross-origin, unsafe-url Specifies what data to provide in the header referrer about the addresses from which the transition was made. If there is no title, browsers use the default - strict-origin-when-cross-origin
Permissions-Policy <directive>, <allowlist> Determines what browser functionality can be enabled on the site. This title may also be called Feature-Policy... Due to the large list of available values in the data, a link to the documentation is provided
Recommended titles
X-Permitted-Cross-Domain-Policies none Indicates cross-domain Flash and PDF (Acrobat) query capability
Clear-Site-Data *, cookie, cache, storage Indicates that the browser needs to clear stored data (cookie, cache, storage)
Cross-Origin-Embedder-Policy unsafe-none, require-corp Prevents loading of resources that do not give explicit consent
Cross-Origin-Opener-Policy unsafe-none, same-origin-allow-popups, same-origin Describes the availability of the resource being opened within the main document
Cross-Origin-Resource-Policy same-site, same-origin, cross-origin Defines browser behaviors to block cross-domain requests without causing an error to access the current document / resource

Attention!

This method will not work for requests to static files.

To file .htaccess, hosted in root directory of the site, you can add the following directives to form the headings given by the site:

Header set X-Frame-Options: DENY

Instead X-Frame-Options: DENY specify any other required title and its details.

Attention!

This method will not work for requests to static files or files that do not call a script with customized headers when accessing them.

PHP has a special function header(), which is used to add headers to the server response. To add any header, specify in the required script, for example index.php, roughly the following line:

header('X-Frame-Options: DENY', false, 200);

Substitute the required data, optional parameters can be omitted:

  • Instead X-Frame-Options: DENY — specify the required title and its data.
  • The second parameter is optional and indicates the need to replace the header, if one already exists. Install false, if you need to create several identical headers, but with different data, or true, if you want to replace existing headers.
  • The third parameter is also optional and indicates the forced response code from the server.

Attention!

This method will work only for pages and documents where the described meta tag is installed.

In HTML, there is a special attribute for a meta tag that transforms it into a proper heading. This attribute can be used like this:

<meta http-equiv="X-Frame-Options" content="DENY">

Replace the data with the required header and its value:

  • In attribute http-equiv specify the title itself.
  • In attribute content specify the desired header value.
Content