Security HTTP Headers

X-Frame-Options:

// Raw header
X-Frame-Options: sameorigin
// How to send the response header with PHP
header("X-Frame-Options: sameorigin");
// How to send the response header with Apache (.htaccess)
Header set X-Frame-Options "sameorigin"
// How to send the response header with Express.js
app.use(function(req, res, next) {
res.header("X-Frame-Options", "sameorigin");
next();
});

X-XSS-Protection

// Raw header
X-XSS-Protection: 1; mode=block
// How to send the response header with PHP
header("X-XSS-Protection: 1; mode=block");
// How to send the response header with Apache (.htaccess)
Header set X-XSS-Protection "1; mode=block"
// How to send the response header with Express.js
app.use(function(req, res, next) {
res.header("X-XSS-Protection", "1; mode=block");
next();
});

Content-Type-Options

// Raw header
X-Content-Type-Options: nosniff
// How to send the response header with PHP
header("X-Content-Type-Options: nosniff");
// How to send the response header with Apache (.htaccess)
Header set X-Content-Type-Options "nosniff"
// How to send the response header with Express.js
app.use(function(req, res, next) {
res.header("X-Content-Type-Options", "nosniff");
next();
});

Strict-Transport-Security

// Raw header
Strict-Transport-Security: max-age=31536000
// or
Strict-Transport-Security: max-age=31536000; includeSubDomains
// How to send the response header with PHP
header("Strict-Transport-Security: max-age=31536000");
// How to send the response header with Apache (.htaccess)
Header set Strict-Transport-Security "max-age=31536000"
// How to send the response header with Express.js
app.use(function(req, res, next) {
res.header("Strict-Transport-Security", "max-age=31536000");
next();
});

Content-Security-Policy

// Raw header
Content-Security-Policy: default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self';
// How to send the response header with PHP
header("Content-Security-Policy: default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self';");
// How to send the response header with Apache (.htaccess)
Header set Content-Security-Policy "default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self';"
// How to send the response header with Express.js
app.use(function(req, res, next) {
res.header("Content-Security-Policy", "default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self';");
next();
});

Access-Control-Allow-Origin/Public-Key-Pins

// Raw
Public-Key-Pins: pin-sha256="d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM="; pin-sha256="FRE9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g="; max-age=604800; includeSubDomains; report-uri="https://technology.freenetsolutions.com/"
// PHP
header('Public-Key-Pins: pin-sha256="d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM="; pin-sha256="FRE9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g="; max-age=604800; includeSubDomains; report-uri="https://technology.freenetsolutions.com/"');
// Apache
Header set Public-Key-Pins "pin-sha256=\"d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM=\"; pin-sha256=\FRE9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g=\"; max-age=604800; report-uri=\"https://technology.freenetsolutions.com/\""
// nginx
add_header Public-Key-Pins "pin-sha256=\"d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM=\"; pin-sha256=\FRE9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g=\"; max-age=604800";
// Express.js
app.use(function(req, res, next) {
res.header("Public-Key-Pins", 'pin-sha256="d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM="; pin-sha256=FRE9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g="; max-age=604800; includeSubDomains');
next();
});

Referrer-Policy

// Raw header
Referrer-Policy: origin-when-cross-origin
// PHP
header("Referrer-Policy: origin-when-cross-origin");
// Apache
Header set Referrer-Policy "origin-when-cross-origin"
// nginx
add_header Referrer-Policy "origin-when-cross-origin"
// Express.js
app.use(function(req, res, next) {
res.header("Referrer-Policy", "origin-when-cross-origin");
next();
});

Expect-CT

// Raw header
Expect-CT: max-age=7776000, enforce, report-uri="http://domain.com/ct-report"
// PHP
header("Expect-CT: max-age=7776000, enforce");
// Apache
Header set Expect-CT "max-age=7776000, enforce"
// nginx
add_header Expect-CT "max-age=7776000, enforce"
// Express.js
app.use(function(req, res, next) {
res.header("Expect-CT", "max-age=7776000, enforce");
next();
});

 

Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection

Post navigation

Leave a Reply

Your email address will not be published. Required fields are marked *