Skip to content

Instantly share code, notes, and snippets.

@davesag
Last active September 21, 2020 07:52
Show Gist options
  • Save davesag/48eff3008d0ac710b989 to your computer and use it in GitHub Desktop.
Save davesag/48eff3008d0ac710b989 to your computer and use it in GitHub Desktop.
Ross's standard server security headers

Dr Ross Williams' collection of security related HTTP headers

Reject all HTTP connections. Convert them to HTTPS or generate an error.

header("Strict-Transport-Security","max-age=31536000; includeSubDomains")

Do not allow the web page to be displayed within a frame of someone else's web page.

Note: If you replace deny with sameorigin, it will allow framing from the same site.

header("X-Frame-Options","deny")

Prevent Cross-Site Scripting.

That is: Don't access anything on the web page not pointing to your page's domain.

header("X-XSS-Protection","1; mode=block")

Prevents clients from inferring the type of files uploaded by users.

header("X-Content-Type-Options","nosniff")

Prevents the browser from loading scripts not sourced from the main website.

header("Content-Security-Policy","script-src 'self'")

Disallow inline Javascript

This is enforced by default if writing a Chrome Extension but in general requires more consideration before activating.

DISABLED header("X-WebKit-CSP","default-src 'self'")

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment