Complete guide to HTTP Headers for securing websites (Cheat Sheet)

HTTP Headers are a great booster for web security with easy implementation. Proper HTTP headers can prevent security vulnerabilities like Cross-Site Scripting, Click-jacking, Packet sniffing and, information disclosure.

In this article, we’ll take a quick look at all security-related HTTP headers and the recommended configurations. Below are the main sections of this document.

The source for this document is available on GitHub. Your contributions are most welcome to complete it and keep it updated 👐

Security Headers


The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe>, <embed> or <object>. Sites can use this to avoid click-jacking attacks, by ensuring that their content is not embedded into other sites.


Do not allow displaying of the page in a frame.

X-Frame-Options: DENY


The HTTP X-XSS-Protection response header is a feature of Internet Explorer, Chrome, and Safari that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks.


Do not set this header or explicitly turn it off.

X-XSS-Protection: 0

Please read X-XSS_Protection should be disabled for details.


The X-Content-Type-Options response HTTP header is used by the server to prevent browsers from guessing the media type ( MIME type). This is known as MIME sniffing in which the browser guesses the correct MIME type by looking at the contents of the resource. The absence of this header might cause browsers to transform non-executable content into executable content.


X-Content-Type-Options: nosniff


The Referrer-Policy HTTP header controls how much referrer information (sent via the Referer header) should be included with requests.


Send everything to the same site but only the origin for other sites.

Referrer-Policy: strict-origin-when-cross-origin

  • NOTE: This is the default in modern browsers


The Content-Type representation header is used to indicate the original media type of the resource (before any content encoding is applied for sending).


Content-Type: text/html; charset=UTF-8

  • NOTE: the charset attribute is necessary to prevent XSS in HTML pages
  • NOTE: the text/html can be any of the possible MIME types

The Set-Cookie HTTP response header is used to send a cookie from the server to the user agent, so the user agent can send it back to the server later. To send multiple cookies, multiple Set-Cookie headers should be sent in the same response.


Set-Cookie: name=value; Secure; HttpOnly; SameSite=Strict

  • NOTE: The Domain attribute has been removed intentionally


The HTTP Strict-Transport-Security response header (often abbreviated as HSTS) lets a website tell browsers that it should only be accessed using HTTPS, instead of using HTTP.


Enable HTTPS-only access for the site and sub domains.

Strict-Transport-Security: max-age=63072000; includeSubDomains; preload


The Expect-CT header lets sites opt-in to reporting of Certificate Transparency (CT) requirements. Given that mainstream clients now require CT qualification, the only remaining value is reporting such occurrences to the nominated report-uri value in the header. The header is now less about enforcement and more about detection/reporting.


Set Certificate Transparency so user agents report Expect-CT failures.

Expect-CT: max-age=604800, report-uri="https://foo.example/report"


Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement to distribution of malware.


Restrict most of the resource types to the same site and subdomains of

Content-Security-Policy: default-src 'self' *; block-all-mixed-content; font-src 'self' https: data:; img-src 'self' data: blob:; object-src 'none'; script-src-attr 'none'; style-src 'self' https: 'unsafe-inline'; upgrade-insecure-requests;

  • WARNING: Inline script elements and inline script event handlers like onload will stop working with the above header. But this is required to neutralize XSS attacks.


The Access-Control-Allow-Origin response header indicates whether the response can be shared with requesting code from the given origin.


Use * or specific domain names.

Access-Control-Allow-Origin: *


The HTTP Cross-Origin-Opener-Policy (COOP) response header allows you to ensure a top-level document does not share a browsing context group with cross-origin documents.


Isolates the browsing context exclusively to same-origin documents.

HTTP Cross-Origin-Opener-Policy: same-origin


The Cross-Origin-Resource-Policy (CORP) header allows you to control the set of origins that are empowered to include a resource. It is a robust defense against attacks like Spectre, as it allows browsers to block a given response before it enters an attacker’s process.


Limit current resource loading to the site and sub-domains only.

Cross-Origin-Resource-Policy: same-site


The HTTP Cross-Origin-Embedder-Policy (COEP) response header prevents a document from loading any cross-origin resources that don’t explicitly grant the document permission (using CORP or CORS).


A document can only load resources from the same origin, or resources explicitly marked as loadable from another origin.

Cross-Origin-Embedder-Policy: require-corp

  • NOTE: you can bypass it by adding the crossorigin attribute like below:
  • <img src="" crossorigin>


The Server header describes the software used by the origin server that handled the request — that is, the server that generated the response.


Remove this header or set non-informative values.

Server: webserver


The X-Powered-By header describes the technologies used by the webserver. This information exposes the server to attackers. Using the information in this header, attackers can find vulnerabilities easier.


Remove all X-Powered-By headers.


Provides information about the .NET version.


Disable sending this header. Review the ASP.NET Version Disclosure issue for details.


Provides information about the .NET version.


Disable sending this header. Review the ASP.NET Version Disclosure issue for details.


The X-DNS-Prefetch-Control HTTP response header controls DNS prefetching, a feature by which browsers proactively perform domain name resolution on both links that the user may choose to follow as well as URLs for items referenced by the document, including images, CSS, JavaScript, and so forth.


The default behavior of browsers is to perform DNS caching which is good for most websites. If you do not control links on your website, you might want to set off as a value to disable DNS prefetch to avoid leaking information to those domains.

Public-Key-Pins ❌

The HTTP Public-Key-Pins response header is used to associate a specific cryptographic public key with a certain web server to decrease the risk of MITM attacks with forged certificates.


This header is deprecated. Use Expect-CT instead.

Adding Http Headers in Different Technologies


Below sample code sets the X-XSS-Protection header in PHP.

header("X-XSS-Protection: 1; mode=block");


Below .htaccess sample configuration sets the X-XSS-Protection header in Apache.

<IfModule mod_headers.c>
Header set X-XSS-Protection "1; mode=block"


Add below configurations to your Web.config in ISS to send the X-XSS-Protection header

     <add name="X-XSS-Protection" value="1; mode=block" />


Add the below line to your font-end, listen, or backend configurations to send the X-XSS-Protection header

http-response set-header X-XSS-Protection 1; mode=block


Below sample configuration, sets the X-XSS-Protection header in Nginx.

add_header "X-XSS-Protection" "1; mode=block";


You can use helmet to setup HTTP headers in Express. Below code is sample for adding the X-Frame-Options header.

const helmet = require('helmet');
const app = express();
// Sets "X-Frame-Options: SAMEORIGIN"
   action: "sameorigin",

Testing Proper Implementation of Security Headers

Mozilla Observatory

The Mozilla Observatory is an online tool that you can check your website’s header status.


SmartScanner has a dedicated test profile for testing security of HTTP headers. Online tools usually test the homepage of the given address. But SmartScanner scans the whole website. So, you can make sure all of your web pages have the right HTTP Headers in place.

Testing HTTP Security Headers using SmartScanner


Scan security of your website with SmartScanner for free