Manage cookies that are used for advertising, such as ad personalization, remarketing, and ad effectiveness analysis.
2.15.6. Security headers
Our site offers the tool that can be used to check the security headers returned by the site. These headers have a significant impact on the security of both the site itself and its visitors, so we recommend adding such headers to your sites.
Description
Attention!
- This article provides brief descriptions of the headers and their possible meanings. For complete information, refer to the relevant documentation.
- Some values may contain insertions that need to be replaced with your own data. For example, instead of
<url>, you should specify the address of your site asexample.com. - Required values or data are highlighted in bold.
Most popular headers:
| Header | Possible values | Description |
|---|---|---|
| Important headers | ||
| Strict-Transport-Security (HSTS) | Time in seconds | Allows you to configure only secure connections to the site via HTTPS. You can add this header in site settings. |
| X-Frame-Options | DENY, SAMEORIGIN, ALLOW-FROM <url> | Allows or prohibits displaying the page as an (i)frame, embed, object |
| X-Content-Type-Options | nosniff | Block requests to files if their type does not match the data type specified in the Content-type header. |
| Content-Security-Policy | default-src, <directives>, <values> | A security policy that allows you to restrict or, conversely, allow data downloads from specific sources. Due to the large list of available values in the data, a link to the documentation is provided. |
| Referrer-Policy | no-referrer, no-referrer-when-downgrade, origin, origin-when-cross-origin, same-origin, strict-origin, strict-origin-when-cross-origin, unsafe-url | Specifies what data to provide in the referrer header about the addresses from which the transition was made. If the header is missing, browsers use the default value — strict-origin-when-cross-origin |
| Permissions-Policy | <directive>, <allowlist> | Determines which browser features can be enabled on the site. This header may also be called Feature-Policy. Due to the large list of available values, a link to the documentation is provided in the data. |
| Recommended headers | ||
| X-Permitted-Cross-Domain-Policies | none | Indicates the possibility of cross-domain Flash and PDF requests (Acrobat) |
| Clear-Site-Data | *, cookie, cache, storage | Indicates the need to clear data stored by the browser (cookie, cache, storage) |
| Cross-Origin-Embedder-Policy | unsafe-none, require-corp | Prevents the loading of resources that do not have explicit consent |
| Cross-Origin-Opener-Policy | unsafe-none, same-origin-allow-popups, same-origin | Describes the accessibility of the resource being opened within the main document |
| Cross-Origin-Resource-Policy | same-site, same-origin, cross-origin | Defines browser behavior to block cross-domain requests without causing an error in the accessibility of the current document/resource. |
Add
.htaccess
Attention!
This method will not work for requests to static files.The following directives can be added to the .htaccess file located in the site root directory to generate the headers returned by the site:
Header set X-Frame-Options: DENY
Instead of X-Frame-Options: DENY, specify any other necessary header and its data..
PHP
Attention!
This method will not work for requests to static files or files that do not trigger a script with configured header output.
The PHP language has a special function, header(), which is used to add headers to the server response. To add a header, specify the following line in the required script, for example, index.php:
header('X-Frame-Options: DENY', false, 200);Substitute the necessary data; optional parameters may be omitted:
- Instead of
X-Frame-Options: DENY, specify the required header and its data. - The second parameter is optional and indicates whether to replace the header if it already exists. Set it to
falseif you want to create several identical headers with different data, ortrueif you want to replace existing headers. - The third parameter is also optional and indicates a forcibly set response code from the server.
HTML
Attention!
This method will only work for pages and documents where the described meta tag is set.In HTML, there is a special attribute for meta tags that converts them into full-fledged headings. This attribute can be used as follows:
<meta http-equiv="X-Frame-Options" content="DENY">Replace the data with the required header and its value:
- Specify the header itself in the
http-equivattribute. - Specify the desired header value in the
contentattribute.
(3)