What are the safe default values for security-related HTTP headers?
Some of the common security-related HTTP headers are:
These HTTP headers can activate browser mechanisms to protect visitors against attacks like cross-site scripting (XSS) or framing.
To set up the aforementioned headers, add the following additional directives to the Domains > example.com > Hosting & DNS > Apache & nginx Settings > Additional directives for HTTP and Domains > example.com > Hosting & DNS > Apache & nginx Settings > Additional directives for HTTPS fields:
The safe defaults for these headers are as follows:
header set X-Frame-Options DENY
header set X-Content-Type-Options nosniff
Header set Content-Security-Policy "frame-ancestors 'none';"
header set Referrer-Policy no-referrer
X-Frame-Options HTTP header lets web browsers know whether website is allowed to be framed or not. Prevention of framing defends visitors against attacks like clickjacking.
Content-Security-Policy (CSP) protects a website against cross-site scripting (XSS) attacks. By whitelisting sources of approved content with CSP, browsers are prevented from loading malicious content of attackers. Use frame-ancestors to prevent the webpage from being loaded into a frame.
Referrer-Policy HTTP header lets browsers know which referrer information, that is sent in the Referrer header, should be part of the website request. The Referrer header contains the address of the previous web page from which the visitor followed a link to the requested page. The information in the Referrer header is mostly used for analytics and logging. However, there can be privacy and security risks. The information could be used e.g. for user tracking and the information could leak to third parties who eavesdrop the connection. These risks can be mitigated with the Referrer-Policy mechanism.