- See https://www.owasp.org/index.php/List_of_useful_HTTP_headers
- See http://en.wikipedia.org/wiki/List_of_HTTP_header_fields
- See http://blog.veracode.com/2014/03/security-headers-on-the-top-1000000-websites-march-2014-report/
- See http://ibuildings.nl/blog/2013/03/4-http-security-headers-you-should-always-be-using
- See http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
- See http://tools.ietf.org/html/rfc6797
31536000is about one year.
header("Strict-Transport-Security","max-age=31536000; includeSubDomains")
Note: If you replace deny with sameorigin, it will allow framing from the same site.
- See https://www.owasp.org/index.php/List_of_useful_HTTP_headers
- See http://tools.ietf.org/html/draft-ietf-websec-x-frame-options-01
- See http://ibuildings.nl/blog/2013/03/4-http-security-headers-you-should-always-be-using
header("X-Frame-Options","deny")
That is: Don't access anything on the web page not pointing to your page's domain.
- See https://www.owasp.org/index.php/List_of_useful_HTTP_headers
- See http://blogs.msdn.com/b/ie/archive/2008/07/02/ie8-security-part-iv-the-xss-filter.aspx
header("X-XSS-Protection","1; mode=block")
- See https://www.owasp.org/index.php/List_of_useful_HTTP_headers
- See http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx
- http://ibuildings.nl/blog/2013/03/4-http-security-headers-you-should-always-be-using
header("X-Content-Type-Options","nosniff")
header("Content-Security-Policy","script-src 'self'")
This is enforced by default if writing a Chrome Extension but in general requires more consideration before activating.
DISABLED header("X-WebKit-CSP","default-src 'self'")