Knowledge Base

What are the safe default values for security-related HTTP headers on a Plesk server?

 
apachecross site scriptingcspcssdns

Question

What are the safe default values for security-related HTTP headers?

Answer

Some of the common security-related HTTP headers are:

  • X-Frame-Options
  • X-Content-Type-Options
  • Content-Security-Policy
  • Referrer-Policy

These HTTP headers can activate browser mechanisms to protect visitors against attacks like cross-site scripting (XSS) or framing.

To set up the aforementioned headers, add the following additional directives to the Domains > example.com > Hosting & DNS > Apache & nginx Settings > Additional directives for HTTP and Domains > example.com > Hosting & DNS > Apache & nginx Settings > Additional directives for HTTPS fields: 

The safe defaults for these headers are as follows:

header set X-Frame-Options DENY
header set X-Content-Type-Options nosniff
Header set Content-Security-Policy "frame-ancestors 'none';"
header set Referrer-Policy no-referrer

X-Frame-Options HTTP header lets web browsers know whether website is allowed to be framed or not. Prevention of framing defends visitors against attacks like clickjacking.

X-Content-Type-Options HTTP header lets web browsers know that they must not do 'MIME type sniffing' and always follow the Content-Type as declared by the web server. The only valid value for this HTTP header is nosniff. When enabled, a browser will block requests for stylesheets and scripts when they do not have a corresponding Content-Type (i.e. text/css or a 'JavaScript MIME type' like application/javascript).

Content-Security-Policy (CSP) protects a website against cross-site scripting (XSS) attacks. By whitelisting sources of approved content with CSP, browsers are prevented from loading malicious content of attackers. Use frame-ancestors to prevent the webpage from being loaded into a frame.

Referrer-Policy HTTP header lets browsers know which referrer information, that is sent in the Referrer header, should be part of the website request. The Referrer header contains the address of the previous web page from which the visitor followed a link to the requested page. The information in the Referrer header is mostly used for analytics and logging. However, there can be privacy and security risks. The information could be used e.g. for user tracking and the information could leak to third parties who eavesdrop the connection. These risks can be mitigated with the Referrer-Policy mechanism.

 

Read the full article
Related Posts
Knowledge Base

Hosting Wiki

Industry
Partners

industry-partner_ALIBABA
industry-partner_GOOGLEPARTNER
industry-partner_MICROSOFT
industry-partner_REDHAT-r2
industry-partner_ALIBABA
industry-partner_AUTOMATTIC
industry-partner_AWS
industry-partner_DIGITALOCEAN
industry-partner_SCALEWAY

© 2025 WebPros International GmbH. All rights reserved. Plesk and the Plesk logo are trademarks of WebPros International GmbH.

Managed with love with Plesk WP Toolkit