Essential HTTP Security Headers Every Web Developer Should Use
This guide explains the most important HTTP response security headers—such as X‑Frame‑Options, X‑Content‑Type‑Options, X‑XSS‑Protection, Content‑Security‑Policy, Strict‑Transport‑Security, and CORS headers—detailing their purpose, possible values, and how to configure them in Apache to harden web applications.
1. X-Frame-Options
Controls whether a page can be displayed in a frame or iframe, preventing clickjacking attacks. X-Frame-Options: SAMEORIGIN Values:
DENY – disallow framing entirely.
SAMEORIGIN – allow framing only from the same origin.
ALLOW-FROM origin_uri – allow framing from a specific origin.
2. X-Content-Type-Options
When the MIME type of a script or stylesheet does not match the declared type, the resource is blocked, helping prevent XSS attacks.
X-Content-Type-Options: nosniff3. X-XSS-Protection
Enables the browser's built‑in XSS filter to block reflected XSS attacks. X-XSS-Protection: 1; mode=block Values:
0 – disable the filter.
1 – enable the filter.
4. Content-Security-Policy
Restricts which external resources can be loaded, mitigating XSS and data‑injection attacks. The older header name was X-Content-Security-Policy. Content-Security-Policy: default-src 'self' Examples:
default-src 'self' – allow resources only from the same origin.
default-src 'self' *.example.com – also allow any sub‑domains of example.com.
5. X-Permitted-Cross-Domain-Policies
Specifies the policy for serving a crossdomain.xml file used by Flash when the file cannot be placed at the site root. X-Permitted-Cross-Domain-Policies: master-only "master-only" permits only the primary policy file (/crossdomain.xml).
6. Strict-Transport-Security (STS)
Informs browsers to access the site only via HTTPS, effectively redirecting HTTP requests to HTTPS.
Strict-Transport-Security: max-age=31536; includeSubDomainsParameters:
max-age – duration (in seconds) the rule is cached.
includeSubDomains – apply the rule to all sub‑domains.
7. Access-Control-Allow-Origin (CORS headers)
Used when making cross‑origin XMLHttpRequests; defines which origins are permitted.
Access-Control-Allow-Origin: http://www.example.comAccess-Control-Allow-Methods: POST, GET, OPTIONSAccess-Control-Allow-Headers: X-TRICORDERAccess-Control-Max-Age: 1728The above configuration allows cross‑origin requests to http://www.example.com using POST, GET, and OPTIONS methods, with a custom request header X-TRICORDER and a cache duration of 1,728 seconds.
8. Setting HTTP Response Headers in Apache
Enable the headers module in httpd.conf:
LoadModule headers_module modules/mod_headers.soThen add header directives, for example:
Header set X-XSS-Protection "1; mode=block"Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
MaGe Linux Operations
Founded in 2009, MaGe Education is a top Chinese high‑end IT training brand. Its graduates earn 12K+ RMB salaries, and the school has trained tens of thousands of students. It offers high‑pay courses in Linux cloud operations, Python full‑stack, automation, data analysis, AI, and Go high‑concurrency architecture. Thanks to quality courses and a solid reputation, it has talent partnerships with numerous internet firms.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.