root@sovietghost:~/tools/http-headers#
23 HTTP security headers — description, example value, and security notes.
23 headers
Restricts sources of scripts, styles, images, and other resources. Primary defense against XSS.
Content-Security-Policy: default-src 'self'; script-src 'self' 'nonce-{random}'; object-src 'none'ⓘ Use nonces or hashes instead of 'unsafe-inline'. Start with report-only mode.
Prevents browsers from MIME-sniffing a response away from the declared content-type.
X-Content-Type-Options: nosniffControls whether the page can be embedded in an iframe. Mitigates clickjacking.
X-Frame-Options: DENYⓘ Superseded by CSP frame-ancestors, but still needed for older browsers.
Activates browser built-in XSS filter (IE/Chrome legacy). Largely obsolete.
X-XSS-Protection: 0ⓘ Set to '0' to disable — the filter can introduce vulnerabilities. Use CSP instead.
Controls how much referrer information is sent with requests.
Referrer-Policy: strict-origin-when-cross-originControls access to browser features (camera, mic, geolocation, etc.) per origin.
Permissions-Policy: camera=(), microphone=(), geolocation=(self)Isolates the browsing context group from cross-origin documents. Required for SharedArrayBuffer.
Cross-Origin-Opener-Policy: same-originRequires all subresources to opt into cross-origin isolation.
Cross-Origin-Embedder-Policy: require-corpPrevents cross-origin reads of the resource. Defense against Spectre-style attacks.
Cross-Origin-Resource-Policy: same-originForces HTTPS connections for the domain and optionally subdomains.
Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadⓘ Only send over HTTPS. Submit to Chrome's preload list for maximum effect.
Requires Certificate Transparency compliance. Now obsolete (CT is mandatory).
Expect-CT: max-age=86400, enforceSpecifies which origins can read the response cross-origin.
Access-Control-Allow-Origin: https://app.example.comⓘ Never use '*' with credentialed requests. Validate Origin against an allowlist.
Lists HTTP methods allowed for CORS requests.
Access-Control-Allow-Methods: GET, POST, PUT, DELETELists request headers allowed in CORS requests.
Access-Control-Allow-Headers: Content-Type, AuthorizationWhether cookies/auth can be included in CORS requests.
Access-Control-Allow-Credentials: trueⓘ Requires explicit origin (not '*'). Enables session-riding attacks if misconfigured.
How long preflight results can be cached (seconds).
Access-Control-Max-Age: 600Directives for caching mechanisms in both requests and responses.
Cache-Control: no-store, max-age=0ⓘ Use 'no-store' for sensitive pages (login, dashboards). Use 'immutable' for versioned assets.
HTTP/1.0 cache control. Use Cache-Control instead.
Pragma: no-cacheClears cookies, storage, and cache for the origin. Useful on logout.
Clear-Site-Data: "cookies", "storage"Declares the MIME type and encoding of the response body.
Content-Type: application/json; charset=utf-8ⓘ Always include charset for text types.
Applied encoding transformations (gzip, br, etc.).
Content-Encoding: brWhether content should be displayed inline or downloaded as an attachment.
Content-Disposition: attachment; filename="report.pdf"ⓘ Use for file downloads to prevent content-sniffing attacks.
Length of the response body in octets.
Content-Length: 3495