Skip to main content

Security headers


Access-Control-Allow-Credentials

  • Impact: Allows servers to include credentials (cookies, HTTP authentication) in cross-origin requests. Misconfiguring this header can expose sensitive data to unauthorized domains【9†source】.
  • Remediation: Set Access-Control-Allow-Credentials to true only when necessary and ensure Access-Control-Allow-Origin is set to specific trusted domains【10†source】.
  • Installation:
    • Linux:
      • Apache: Add Header set Access-Control-Allow-Credentials "true" in the virtual host or .htaccess.
      • Nginx: Use add_header Access-Control-Allow-Credentials "true"; in the server block.
    • Windows:
      • IIS: Go to HTTP Response Headers and add Access-Control-Allow-Credentials with the value true.

Access-Control-Allow-Headers

  • Impact: Specifies which HTTP headers can be used in cross-origin requests. Allowing too many headers can increase the risk of sensitive data exposure【9†source】.
  • Remediation: Limit the headers to those that are necessary for your application, e.g., Access-Control-Allow-Headers: Content-Type, Authorization【10†source】.
  • Installation:
    • Linux:
      • Apache: Add Header set Access-Control-Allow-Headers "Content-Type, Authorization".
      • Nginx: Use add_header Access-Control-Allow-Headers "Content-Type, Authorization";.
    • Windows:
      • IIS: Under HTTP Response Headers, add Access-Control-Allow-Headers with necessary headers.

Access-Control-Allow-Methods

  • Impact: Specifies the HTTP methods allowed in cross-origin requests. Allowing unnecessary methods may expose the server to security risks【9†source】.
  • Remediation: Restrict this header to necessary methods, e.g., Access-Control-Allow-Methods: GET, POST, OPTIONS【10†source】.
  • Installation:
    • Linux:
      • Apache: Add Header set Access-Control-Allow-Methods "GET, POST, OPTIONS".
      • Nginx: Use add_header Access-Control-Allow-Methods "GET, POST, OPTIONS";.
    • Windows:
      • IIS: In the HTTP Response Headers, add Access-Control-Allow-Methods.

Access-Control-Allow-Origin

  • Impact: Specifies which origins can access the resource. Using * can expose sensitive data to any origin【9†source】.
  • Remediation: Set this header to specific trusted origins, e.g., Access-Control-Allow-Origin: https://trusted-site.com【10†source】.
  • Installation:
    • Linux:
      • Apache: Add Header set Access-Control-Allow-Origin "https://trusted-site.com".
      • Nginx: Use add_header Access-Control-Allow-Origin "https://trusted-site.com";.
    • Windows:
      • IIS: Add Access-Control-Allow-Origin in HTTP Response Headers with the trusted origin.

Access-Control-Expose-Headers

  • Impact: Indicates which headers can be exposed as part of the response, useful in CORS requests. Over-exposing headers can lead to information leakage【9†source】.
  • Remediation: Only expose necessary headers, e.g., Access-Control-Expose-Headers: Content-Length, X-My-Custom-Header【10†source】.
  • Installation:
    • Linux:
      • Apache: Add Header set Access-Control-Expose-Headers "Content-Length, X-My-Custom-Header".
      • Nginx: Use add_header Access-Control-Expose-Headers "Content-Length, X-My-Custom-Header";.
    • Windows:
      • IIS: Add Access-Control-Expose-Headers under HTTP Response Headers.

Access-Control-Max-Age

  • Impact: Specifies how long the results of a preflight request can be cached. If set too high, it may cache outdated policies【9†source】.
  • Remediation: Set to a reasonable value in seconds, e.g., Access-Control-Max-Age: 3600 (1 hour)【10†source】.
  • Installation:
    • Linux:
      • Apache: Add Header set Access-Control-Max-Age "3600".
      • Nginx: Use add_header Access-Control-Max-Age "3600";.
    • Windows:
      • IIS: Add Access-Control-Max-Age in HTTP Response Headers with the value 3600.

Clear-Site-Data

  • Impact: Clears browsing data (cookies, storage, cache) associated with the website. Useful for logging out or on error pages【9†source】.
  • Remediation: Set Clear-Site-Data with appropriate directives, e.g., Clear-Site-Data: "cache", "cookies", "storage"【9†source】.
  • Installation:
    • Linux:
      • Apache: Add Header set Clear-Site-Data "\"cache\", \"cookies\", \"storage\""
      • Nginx: Use add_header Clear-Site-Data "\"cache\", \"cookies\", \"storage\"";.
    • Windows:
      • IIS: Add Clear-Site-Data under HTTP Response Headers.

Content-Security-Policy

  • Impact: Prevents XSS, clickjacking, and other code injection attacks by specifying allowed content sources【9†source】.
  • Remediation: Define strict rules for content sources, e.g., Content-Security-Policy: default-src 'self'; script-src 'self';【9†source】.
  • Installation:
    • Linux:
      • Apache: Add Header set Content-Security-Policy "default-src 'self'; script-src 'self';".
      • Nginx: Use add_header Content-Security-Policy "default-src 'self'; script-src 'self';";.
    • Windows:
      • IIS: Add Content-Security-Policy in HTTP Response Headers.

Cross-Origin-Embedder-Policy

  • Impact: Prevents a document from loading cross-origin resources unless explicitly permitted. Protects against resource loading attacks【9†source】.
  • Remediation: Set Cross-Origin-Embedder-Policy: require-corp to require all resources to have CORS enabled or be same-origin【9†source】.
  • Installation:
    • Linux:
      • Apache: Add Header set Cross-Origin-Embedder-Policy "require-corp".
      • Nginx: Use add_header Cross-Origin-Embedder-Policy "require-corp";.
    • Windows:
      • IIS: Add Cross-Origin-Embedder-Policy in HTTP Response Headers.

Cross-Origin-Opener-Policy

  • Impact: Controls how a document interacts with its opener across origins, reducing risks like cross-origin attacks【9†source】.
  • Remediation: Set Cross-Origin-Opener-Policy: same-origin to isolate the window from documents from other origins【9†source】.
  • Installation:
    • Linux:
      • Apache: Add Header set Cross-Origin-Opener-Policy "same-origin".
      • Nginx: Use add_header Cross-Origin-Opener-Policy "same-origin";.
    • Windows:
      • IIS: Add Cross-Origin-Opener-Policy in HTTP Response Headers.

Cross-Origin-Resource-Policy

  • Impact: Prevents other domains from reading the response of the resources it is set on, protecting against unauthorized data access【9†source】.
  • Remediation: Set Cross-Origin-Resource-Policy: same-origin for sensitive resources【9†source】.
  • Installation:
    • Linux:
      • Apache: Add Header set Cross-Origin-Resource-Policy "same-origin".
      • Nginx: Use add_header Cross-Origin-Resource-Policy "same-origin";.
    • Windows:
      • IIS: Add Cross-Origin-Resource-Policy in HTTP Response Headers.

Permission-Policy

  • Impact: Controls which browser features and APIs can be used in the document or embedded iframes, reducing the risk of feature abuse【9†source】.
  • Remediation: Set Permission-Policy with appropriate directives, e.g., Permission-Policy: geolocation=(), microphone=(), camera=()【9†source】.
  • Installation:
    • Linux:
      • Apache: Add Header set Permission-Policy "geolocation=(), microphone=(), camera=()".
      • Nginx: Use add_header Permission-Policy "geolocation=(), microphone=(), camera=()";.
    • Windows:
      • IIS: Add Permission-Policy in HTTP Response Headers with the required settings.

Referrer-Policy

  • Impact: Controls the amount of referrer information included in requests, enhancing user privacy and reducing potential information leakage【9†source】.
  • Remediation: Use a strict policy, e.g., Referrer-Policy: strict-origin-when-cross-origin, to limit the information sent in the Referer header【9†source】.
  • Installation:
    • Linux:
      • Apache: Add Header set Referrer-Policy "strict-origin-when-cross-origin".
      • Nginx: Use add_header Referrer-Policy "strict-origin-when-cross-origin";.
    • Windows:
      • IIS: Set Referrer-Policy in HTTP Response Headers.

Strict-Transport-Security (HSTS)

  • Impact: Enforces the use of HTTPS for all future connections to the domain, preventing downgrade attacks and cookie hijacking【9†source】.
  • Remediation: Set Strict-Transport-Security to enforce HTTPS, e.g., Strict-Transport-Security: max-age=31536000; includeSubDomains【9†source】.
  • Installation:
    • Linux:
      • Apache: Add Header set Strict-Transport-Security "max-age=31536000; includeSubDomains".
      • Nginx: Use add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";.
    • Windows:
      • IIS: Add Strict-Transport-Security in HTTP Response Headers.

X-Frame-Options

  • Impact: Prevents clickjacking attacks by controlling whether a browser should be allowed to render a page in a frame or iframe【9†source】.
  • Remediation: Set X-Frame-Options to DENY or SAMEORIGIN to control framing, e.g., X-Frame-Options: DENY【9†source】.
  • Installation:
    • Linux:
      • Apache: Add Header set X-Frame-Options "DENY".
      • Nginx: Use add_header X-Frame-Options "DENY";.
    • Windows:
      • IIS: Add X-Frame-Options in HTTP Response Headers.

X-Permitted-Cross-Domain-Policies

  • Impact: Controls which cross-domain policies the browser should allow, reducing potential attack surfaces【9†source】.
  • Remediation: Set X-Permitted-Cross-Domain-Policies to a strict policy, e.g., X-Permitted-Cross-Domain-Policies: none【9†source】.
  • Installation:
    • Linux:
      • Apache: Add Header set X-Permitted-Cross-Domain-Policies "none".
      • Nginx: Use add_header X-Permitted-Cross-Domain-Policies "none";.
    • Windows:
      • IIS: Add X-Permitted-Cross-Domain-Policies in HTTP Response Headers.

Back to top