2.18.8. Security headers
Available on our website toolthat you can use to validate the security headers returned by the site. Such headers have a great impact on the security of both the site itself and its visitors, so we recommend add such titles on their sites.
Description
Attention!
- This article provides brief descriptions of headers and their possible meanings. Full details can be found in the relevant documentation.
- Some values may contain insertions, instead of which you need to substitute your data, for example, instead of
<url>you should indicate the address of your site in the formexample.com. - Required values or data are in bold.
The most popular security headers include the following:
| heading | Valid values | Description |
|---|---|---|
| Important headings | ||
| Strict-Transport-Security (HSTS) | Time in seconds | Allows you to configure only a secure connection to the site via HTTPS. You can add this title in site settings |
| X-Frame-Options | DENY, SAMEORIGIN, ALLOW-FROM <url> | Allows or denies displaying the page as (i)frame, embed, object |
| X-Content-Type-Options | nosniff | Blocking requests to files if their type does not match the data type specified in the header Content-type |
| Content-Security-Policy | default-src, <directives>, <values> | Security policy that provides the ability to restrict or, on the contrary, allow the loading of data from certain sources. Due to the large list of available values in the data, a link to the documentation is provided |
| Referrer-Policy | no-referrer, no-referrer-when-downgrade, origin, origin-when-cross-origin, same-origin, strict-origin, strict-origin-when-cross-origin, unsafe-url | Specifies what data to provide in the header referrer about the addresses from which the transition was made. If there is no title, browsers use the default - strict-origin-when-cross-origin |
| Permissions-Policy | <directive>, <allowlist> | Determines what browser functionality can be enabled on the site. This title may also be called Feature-Policy... Due to the large list of available values in the data, a link to the documentation is provided |
| Recommended titles | ||
| X-Permitted-Cross-Domain-Policies | none | Indicates cross-domain Flash and PDF (Acrobat) query capability |
| Clear-Site-Data | *, cookie, cache, storage | Indicates that the browser needs to clear stored data (cookie, cache, storage) |
| Cross-Origin-Embedder-Policy | unsafe-none, require-corp | Prevents loading of resources that do not give explicit consent |
| Cross-Origin-Opener-Policy | unsafe-none, same-origin-allow-popups, same-origin | Describes the availability of the resource being opened within the main document |
| Cross-Origin-Resource-Policy | same-site, same-origin, cross-origin | Defines browser behaviors to block cross-domain requests without causing an error to access the current document / resource |
Adding
.htaccess
Attention!
This method will not work for requests to static files.To file .htaccesshosted in root directory site, you can add the following directives to form the headers given by the site:
Header set X-Frame-Options: DENY
Instead X-Frame-Options: DENY specify any other required title and its details.
PHP
Attention!
This method will not work for requests to static files or files that do not call a script with customized headers when accessing them.
PHP has a special function header()which is used to add headers to the server response. To add any header, specify in the required script, for example index.php, roughly the following line:
header('X-Frame-Options: DENY', false, 200);
Substitute the required data, optional parameters can be omitted:
- Instead
X-Frame-Options: DENY— specify the required title and its data. - The second parameter is optional and indicates the need to replace the header, if one already exists. Install
falseif you need to create several identical headers, but with different data, ortrueif you want to replace existing headers. - The third parameter is also optional and indicates the forced response code from the server.
HTML
Attention!
This method will work only for pages and documents where the described meta tag is installed.V HTML there is a special attribute for the meta tag that will convert it to a full-fledged title. The use of this attribute is possible something like this:
<meta http-equiv="X-Frame-Options" content="DENY">
Replace the data with the required header and its value:
- In attribute
http-equivspecify the title itself. - In attribute
contentspecify the desired header value.