Skip to main content

Security headers


1. Access-Control-Allow-Credentials

  • Impact: ControlsAllows whetherservers theto browser includesinclude credentials (likecookies, cookies)HTTP authentication) in cross-origin requests. IfMisconfiguring misconfigured,this itheader can leadexpose sensitive data to security vulnerabilities such as unauthorized access.domains【9†source】.
  • Remediation: Set Access-Control-Allow-Credentials:Credentials to true only ifwhen you need to allow credentials for cross-origin requests,necessary and ensure Access-Control-Allow-Origin is not set to '*'specific trusted domains【10†source】.
  • Installation: -
    • Linux: Configure
        your
      • Apache: webAdd Header set Access-Control-Allow-Credentials "true" in the virtual host or .htaccess.
      • Nginx: Use add_header Access-Control-Allow-Credentials "true"; in the server (e.g.,block.
        • Apache,
      Nginx)
    • Windows:
      • IIS: Go to includeHTTP theResponse Headers and add Access-Control-Allow-Credentials header in responses where needed.   - Windows: Use IIS to setwith the headervalue bytrue.
        • editing
      the
      • response
    headers for your website in the IIS Manager.

2. Access-Control-Allow-Headers

  • Impact: Specifies which HTTP headers can be used during an actualin cross-origin request.requests. MisconfigurationAllowing couldtoo exposemany headers can increase the risk of sensitive information.data exposure【9†source】.
  • Remediation: SetLimit Access-Control-Allow-Headersthe withheaders ato listthose ofthat allowedare headers,necessary for your application, e.g., Access-Control-Allow-Headers: X-Requested-With, Content-Type, Origin, Authorization【10†source】.
  • Installation: -
    • Linux:
      • Apache: Add theHeader requiredset headerAccess-Control-Allow-Headers to"Content-Type, yourAuthorization".
        • server
      • Nginx: configuration files (e.g., Apache'sUse add_header Access-Control-Allow-Headers "Content-Type, Authorization";.htaccess
        • or
      Nginx's
      • nginx.conf).   -
    • Windows: Use
      • IIS: toUnder HTTP Response Headers, add the Access-Control-Allow-Headers inwith thenecessary HTTPheaders.
        • Response
      Headers
      • section.

3. Access-Control-Allow-Methods

  • Impact: Specifies whichthe HTTP methods are allowed whenin accessingcross-origin requests. Allowing unnecessary methods may expose the resource in responseserver to asecurity preflight request. Misuse could expose endpoints to unintended actions.risks【9†source】.
  • Remediation: SetRestrict Access-Control-Allow-Methodsthis withheader ato list of allowednecessary methods, e.g., Access-Control-Allow-Methods: GET, POST, OPTIONS【10†source】.
  • Installation: -
    • Linux: Modify
        the
      • Apache: server'sAdd configurationHeader filesset toAccess-Control-Allow-Methods include"GET, thePOST, header.OPTIONS".
        • -
      • Nginx: Use add_header Access-Control-Allow-Methods "GET, POST, OPTIONS";.
    • Windows: Configure
        this
      • IIS: in IIS by settingIn the allowedHTTP methodsResponse inHeaders, theadd responseAccess-Control-Allow-Methods.
        • headers.

4. Access-Control-Allow-Origin

  • Impact: Specifies which origins arecan allowedaccess the resource. Using * can expose sensitive data to makeany cross-origin requests. A misconfigured policy can allow malicious websites to interact with your domain.origin【9†source】.
  • Remediation: Set Access-Control-Allow-Originthis header to specific trusted origins, e.g., Access-Control-Allow-Origin: https://trusted-site.com【10†source】. Avoid using '*' unless absolutely necessary.
  • Installation: -
    • Linux:
      • Apache: Add Header set Access-Control-Allow-Origin "https://trusted-site.com".
      • Nginx: Use webadd_header serverAccess-Control-Allow-Origin configurations"https://trusted-site.com";.
        • to
      include
      • this header (e.g., Apache, Nginx).   -
    • Windows: Set
        the
      • IIS: headerAdd Access-Control-Allow-Origin in IIS under HTTP Response Headers.Headers with the trusted origin.

5. Access-Control-Expose-Headers

  • Impact: Indicates which headers arecan safebe toexposed exposeas topart of the APIresponse, ofuseful ain CORS API specification.requests. Over-exposing headers can lead to information leakage.leakage【9†source】.
  • Remediation: SetOnly Access-Control-Expose-Headersexpose withnecessary a list of headers that are safe to expose,headers, e.g., Access-Control-Expose-Headers: Content-Length, X-My-Custom-Header【10†source】.
  • Installation: -
    • Linux: Configure
        in
      • Apache: yourAdd webHeader serverset toAccess-Control-Expose-Headers include"Content-Length, thisX-My-Custom-Header".
        • header.
      • Nginx: -Use add_header Access-Control-Expose-Headers "Content-Length, X-My-Custom-Header";.
    • Windows:
      • IIS: Add the Access-Control-Expose-Headers headerunder inHTTP theResponse IISHeaders.
        • Manager.

6. Access-Control-Max-Age

  • Impact: IndicatesSpecifies how long the results of a preflight request can be cached. SettingIf itset too highhigh, it may cache outdated policies.policies【9†source】.
  • Remediation: Set Access-Control-Max-Age to a reasonable value in seconds, e.g., Access-Control-Max-Age: 3600 for(1 one hour.hour)【10†source】.
  • Installation: -
    • Linux: Modify
        server
      • Apache: configurationAdd filesHeader toset includeAccess-Control-Max-Age the"3600".
      • Nginx: Use add_header Access-Control-Max-Age "3600";.
    • Windows:
      • IIS: Add Access-Control-Max-Age header.   - Windows: Use IIS to add the header underin HTTP Response Headers.Headers with the value 3600.

7. Clear-Site-Data

  • Impact: Clears browsing data (cookies, storage, cache) associated with the requesting website. This is essentialUseful for securitylogging after logoutout or on error scenarios.pages【9†source】.
  • Remediation: Set Clear-Site-Data header with appropriate directives, e.g., Clear-Site-Data: "cache", "cookies", "storage" on logout or error pages.【9†source】.
  • Installation: -
    • Linux:
      • Apache: Add theHeader set Clear-Site-Data "\"cache\", \"cookies\", \"storage\""
      • Nginx: Use add_header Clear-Site-Data "\"cache\", \"cookies\", \"storage\"";.
    • Windows:
      • IIS: Add Clear-Site-Data header in the web server configuration.   - Windows: Set this header in IIS viaunder HTTP Response Headers.

8. Content-Security-Policy

  • Impact: HelpsPrevents prevent Cross-Site Scripting (XSS),XSS, clickjacking, and other code injection attacks by controlling resources the browser isspecifying allowed tocontent load.sources【9†source】.
  • Remediation: SetDefine astrict Content-Security-Policyrules headerfor withcontent appropriate directives,sources, e.g., Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline';【9†source】.
  • Installation: -
    • Linux: Configure
        this
      • Apache: headerAdd inHeader yourset webContent-Security-Policy server"default-src configuration'self'; files.script-src -'self';".
      • Nginx: Use add_header Content-Security-Policy "default-src 'self'; script-src 'self';";.
    • Windows: Use
      • IIS: ManagerAdd toContent-Security-Policy add this header underin HTTP Response Headers.

9. Cross-Origin-Embedder-Policy

  • Impact: Prevents a document from loading any cross-origin resources that don'tunless explicitly grantpermitted. the document permission, improving securityProtects against resource loading attacks.attacks【9†source】.
  • Remediation: Set Cross-Origin-Embedder-Policy: require-corp to require all resources to have CORS enabled or be same-origin.origin【9†source】.
  • Installation: -
    • Linux:
      • Apache: Add thisHeader headerset inCross-Origin-Embedder-Policy your"require-corp".
        • server's
      • Nginx: configurationUse files.add_header -Cross-Origin-Embedder-Policy "require-corp";.
    • Windows: Set
        this
      • IIS: Add Cross-Origin-Embedder-Policy in IIS under the HTTP Response HeadersHeaders.
        • section.

10. Cross-Origin-Opener-Policy

  • Impact: Controls how a document interacts with its opener across origins, protectingreducing againstrisks like cross-origin attacks like Spectre.attacks【9†source】.
  • Remediation: Set Cross-Origin-Opener-Policy: same-origin to isolate the window from documents from other origins.origins【9†source】.
  • Installation: -
    • Linux:
      • Apache: Add theHeader set Cross-Origin-Opener-Policy "same-origin".
      • Nginx: Use add_header Cross-Origin-Opener-Policy "same-origin";.
    • Windows:
      • IIS: Add Cross-Origin-Opener-Policy header in the server's configuration.   - Windows: Configure this header in IIS under HTTP Response Headers.

11. Cross-Origin-Resource-Policy

  • Impact: Prevents other domains from reading the response of the resources it is set on, reducingprotecting theagainst risk ofunauthorized data theft.access【9†source】.
  • Remediation: Set Cross-Origin-Resource-Policy: same-origin for resourcessensitive that should only be loaded by your origin.resources【9†source】.
  • Installation: -
    • Linux: Include
        this
      • Apache: headerAdd inHeader yourset serverCross-Origin-Resource-Policy configurations."same-origin".
        • -
      • Nginx: Use add_header Cross-Origin-Resource-Policy "same-origin";.
    • Windows:
      • IIS: Add this headerCross-Origin-Resource-Policy in IIS under HTTP Response Headers.

12. Permission-Policy

  • Impact: Controls which browser features and APIs can be used in the document or by embedded iframes, reducing the risk of feature abuse.abuse【9†source】.
  • Remediation: Set Permission-Policy with appropriate directives, e.g., Permission-Policy: geolocation=(), microphone=(), camera=()【9†source】.
  • Installation: -
    • Linux:
      • Apache: Add theHeader set Permission-Policy "geolocation=(), microphone=(), camera=()".
      • Nginx: Use add_header Permission-Policy "geolocation=(), microphone=(), camera=()";.
    • **Windows

Continuing from where we left off:

12. Permission-Policy (continued)

  • Installation:
    • Linux:
      • Apache: Add Header set Permission-Policy "geolocation=(), microphone=(), camera=()".
      • Nginx: Use add_header Permission-Policy "geolocation=(), microphone=(), camera=()";.
    • Windows:
      • IIS: Add Permission-Policy header in the server configuration files.   - Windows: Set this in IIS Manager under HTTP Response Headers.Headers with the required settings.

13. Referrer-Policy

  • Impact: Controls howthe muchamount of referrer information should be included within requests, protectingenhancing user privacy and datareducing leakage.potential information leakage【9†source】.
  • Remediation: SetUse a strict policy, e.g., Referrer-Policy: strict-origin-when-cross-origin, to limit the information sent in the Referer header.header【9†source】.
  • Installation: -
    • Linux: Modify
        the
      • Apache: serverAdd configurationHeader toset includeReferrer-Policy the"strict-origin-when-cross-origin".
      • Nginx: Use add_header Referrer-Policy "strict-origin-when-cross-origin";.
    • Windows:
      • IIS: Set Referrer-Policy header.   - Windows: Configure this in IIS under HTTP Response Headers.

14. Strict-Transport-Security (HSTS)

  • Impact: Enforces the use of HTTPS for all future connections to the domain, preventing downgrade attacks and cookie hijacking.hijacking【9†source】.
  • Remediation: Set Strict-Transport-Security to enforce HTTPS, e.g., Strict-Transport-Security: max-age=31536000; includeSubDomains to enforce HTTPS for one year, including subdomains.【9†source】.
  • Installation: -
    • Linux:
      • Apache: Add theHeader set Strict-Transport-Security "max-age=31536000; includeSubDomains".
      • Nginx: Use add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";.
    • Windows:
      • IIS: Add Strict-Transport-Security header in your server configuration.   - Windows: Use IIS to include this header under HTTP Response Headers.

15. X-Frame-Options

  • Impact: Prevents clickjacking attacks by disablingcontrolling whether a browser should be allowed to render a page in a frame or restricting iframe embedding of the web page.iframe【9†source】.
  • Remediation: Set X-Frame-Options: DENYOptions to prevent any domain from framing your content,DENY or SAMEORIGIN to allowcontrol onlyframing, youre.g., ownX-Frame-Options: domain.DENY【9†source】.
  • Installation: -
    • Linux: Include
        this
      • Apache: headerAdd inHeader yourset server'sX-Frame-Options configuration"DENY".
        • files.
      • Nginx: -Use add_header X-Frame-Options "DENY";.
    • Windows: Set
        the
      • IIS: Add X-Frame-Options header in IIS under HTTP Response Headers.

16. X-Permitted-Cross-Domain-Policies

  • Impact: Controls which cross-domain policies the browser should allow, reducing the potential attack surface.surfaces【9†source】.
  • Remediation: Set X-Permitted-Cross-Domain-Policies to a strict policy, e.g., X-Permitted-Cross-Domain-Policies: none to disallow all cross-domain policies, or master-only to allow only master policy files.【9†source】.
  • Installation: -
    • Linux: Configure
        this
      • Apache: headerAdd inHeader yourset webX-Permitted-Cross-Domain-Policies server."none".
        • -
      • Nginx: Use add_header X-Permitted-Cross-Domain-Policies "none";.
    • Windows: Use
      • IIS: to add theAdd X-Permitted-Cross-Domain-Policies header underin HTTP Response Headers.

 

Back to top