Skip to content

HTTP Security Response Headers Cheat Sheet


HTTP Headers are a great booster for web security with easy implementation. Proper HTTP response headers can help prevent security vulnerabilities like Cross-Site Scripting, Clickjacking, Information disclosure and more.

In this cheat sheet, we will review all security-related HTTP headers, recommended configurations, and reference other sources for complicated headers.

Security Headers


The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe>, <embed> or <object>. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.


Do not allow displaying of the page in a frame.

X-Frame-Options: DENY


The HTTP X-XSS-Protection response header is a feature of Internet Explorer, Chrome, and Safari that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks.


Do not set this header or explicitly turn it off.

X-XSS-Protection: 0

Please see Mozilla X-XSS-Protection for details.


The X-Content-Type-Options response HTTP header is used by the server to prevent browsers from guessing the media type ( MIME type). This is known as MIME sniffing in which the browser guesses the correct MIME type by looking at the contents of the resource. The absence of this header might cause browsers to transform non-executable content into executable content.


X-Content-Type-Options: nosniff


The Referrer-Policy HTTP header controls how much referrer information (sent via the Referer header) should be included with requests.


Referrer policy has been supported by browsers since 2014. Today, the default behavior in modern browsers is to no longer send all referrer information (origin, path, and query string) to the same site but to only send the origin to other sites. However, since not all users may be using the latest browsers we suggest forcing this behavior by sending this header on all requests.

Referrer-Policy: strict-origin-when-cross-origin


The Content-Type representation header is used to indicate the original media type of the resource (before any content encoding is applied for sending).


Content-Type: text/html; charset=UTF-8

  • NOTE: the charset attribute is necessary to prevent XSS in HTML pages
  • NOTE: the text/html can be any of the possible MIME types

The Set-Cookie HTTP response header is used to send a cookie from the server to the user agent, so the user agent can send it back to the server later. To send multiple cookies, multiple Set-Cookie headers should be sent in the same response.



The HTTP Strict-Transport-Security response header (often abbreviated as HSTS) lets a website tell browsers that it should only be accessed using HTTPS, instead of using HTTP.


Enable HTTPS-only access for the site and sub domains.

Strict-Transport-Security: max-age=63072000; includeSubDomains; preload

Please checkout HTTP Strict Transport Security Cheat Sheet for more information.


The Expect-CT header lets sites opt-in to reporting of Certificate Transparency (CT) requirements. Given that mainstream clients now require CT qualification, the only remaining value is reporting such occurrences to the nominated report-uri value in the header. The header is now less about enforcement and more about detection/reporting.

Please note Mozilla states that this header will be obsolete in June 2021.


Set Certificate Transparency so user agents report Expect-CT failures.

Expect-CT: max-age=604800, report-uri="https://foo.example/report"


Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement to distribution of malware.


Content Security Policy is very complex to configure and maintain. For an explanation on customization options, please read Content Security Policy Cheat Sheet


The Access-Control-Allow-Origin response header indicates whether the response can be shared with requesting code from the given origin.


Prefer using specific origin instead of *. Checkout Access-Control-Allow-Origin for details.



The HTTP Cross-Origin-Opener-Policy (COOP) response header allows you to ensure a top-level document does not share a browsing context group with cross-origin documents.


Isolates the browsing context exclusively to same-origin documents.

HTTP Cross-Origin-Opener-Policy: same-origin


The Cross-Origin-Resource-Policy (CORP) header allows you to control the set of origins that are empowered to include a resource. It is a robust defense against attacks like Spectre, as it allows browsers to block a given response before it enters an attacker's process.


Limit current resource loading to the site and sub-domains only.

Cross-Origin-Resource-Policy: same-site


The HTTP Cross-Origin-Embedder-Policy (COEP) response header prevents a document from loading any cross-origin resources that don't explicitly grant the document permission (using CORP or CORS).


A document can only load resources from the same origin, or resources explicitly marked as loadable from another origin.

Cross-Origin-Embedder-Policy: require-corp

  • NOTE: you can bypass it by adding the crossorigin attribute like below:
  • <img src="" crossorigin>

FLoC (Federated Learning of Cohorts)

FLoC is a method proposed by Google in 2021 to deliver interest-based advertisements to groups of users ("cohorts"). The Electronic Frontier Foundation, Mozilla, and others believe FLoC does not do enough to protect users' privacy.


A site can declare that it does not want to be included in the user's list of sites for cohort calculation by sending this HTTP header.

Permissions-Policy: interest-cohort=()


The Server header describes the software used by the origin server that handled the request — that is, the server that generated the response.


Remove this header or set non-informative values.

Server: webserver


The X-Powered-By header describes the technologies used by the webserver. This information exposes the server to attackers. Using the information in this header, attackers can find vulnerabilities easier.


Remove all X-Powered-By headers.


Provides information about the .NET version.


Disable sending this header. Add the following line in your web.config in the <system.web> section to remove it.

<httpRuntime enableVersionHeader="false" />


Provides information about the .NET version.


Disable sending this header. To remove the X-AspNetMvc-Version header, add the below line in Global.asax file.

MvcHandler.DisableMvcResponseHeader = true;


The X-DNS-Prefetch-Control HTTP response header controls DNS prefetching, a feature by which browsers proactively perform domain name resolution on both links that the user may choose to follow as well as URLs for items referenced by the document, including images, CSS, JavaScript, and so forth.


The default behavior of browsers is to perform DNS caching which is good for most websites. If you do not control links on your website, you might want to set off as a value to disable DNS prefetch to avoid leaking information to those domains.

Public-Key-Pins ❌

The HTTP Public-Key-Pins response header is used to associate a specific cryptographic public key with a certain web server to decrease the risk of MITM attacks with forged certificates.


This header is deprecated. Use Expect-CT instead.

Adding HTTP Headers in Different Technologies


The sample code below sets the X-Frame-Options header in PHP.

header("X-Frame-Options: DENY");


Below is an .htaccess sample configuration which sets the X-Frame-Options header in Apache.

<IfModule mod_headers.c>
Header set X-Frame-Options "DENY"


Add configurations below to your Web.config in ISS to send the X-Frame-Options header.

     <add name="X-Frame-Options" value="DENY" />


Add the line below to your font-end, listen, or backend configurations to send the X-Frame-Options header.

http-response set-header X-Frame-Options DENY


Below is a sample configuration, it sets the X-Frame-Options header in Nginx.

add_header "X-Frame-Options" "DENY";


You can use helmet to setup HTTP headers in Express. The code below is sample for adding the X-Frame-Options header.

const helmet = require('helmet');
const app = express();
// Sets "X-Frame-Options: SAMEORIGIN"
   action: "sameorigin",

Testing Proper Implementation of Security Headers

Mozilla Observatory

The Mozilla Observatory is an online tool that you can check your website's header status.


SmartScanner has a dedicated test profile for testing security of HTTP headers. Online tools usually test the homepage of the given address. But SmartScanner scans the whole website. So, you can make sure all of your web pages have the right HTTP Headers in place.