Change log

HTTP Header Settings

Fine-tune your website’s configuration around security, performance and usability (eg; caching and content policies) with custom control over a select range of HTTP Headers.

Supported HTTP Headers

The currently supported HTTP Headers are focused around security and performance settings and are described below.

To configure a header, check the ‘Enabled’ checkbox against the desired HTTP Header and expand the header to reveal its options.

Ensure you save any changes to the header settings, or enabled status, by clicking the ’Save’ button at the bottom of the page.

Review your HTTP Header configuration with this online reporting tool: securityheaders.com.

Setting
Options
Description / Specs
Access-Control-Allow-Origin
  • origin <text>
    • * (default)

Specifies which domains can access resources on the server, enabling cross-origin requests (CORS).

mdn web docs

Content-Security-Policy
  • child-src <text>
  • connect-src <text>
  • default-src <text>
  • font-src <text>
  • frame-src <text>
  • img-src <text>
  • manifest-src <text>
  • media-src <text>
  • object-src <text>
  • prefetch-src <text>
  • script-src <text>
  • script-src-elem <text>
  • script-src-attr <text>
  • style-src <text>
  • style-src-elem <text>
  • style-src-attr <text>
  • worker-src <text>
  • base-uri <text>
  • sandbox <text>
  • form-action <text>
  • frame-ancestors <text>
  • navigate-to <text>
  • report-uri <text>
  • report-to <text>
  • require-sri-for <text>
  • require-trusted-types-for <text>
  • trusted-types <text>
  • upgrade-insecure-requests <text>

Defines security policies for content, mitigating risks of cross-site scripting (XSS) and other attacks.

mdn web docs

(For files requests) Age
  • age <integer>

Indicates the time in seconds since the response was fetched from the origin server or cache.

mdn web docs

(For files requests) Cache-Control
  • max-age <integer>
  • s-maxage <integer>
  • stale-while-revalidate <integer>
  • stale-if-error <integer>
  • no-cache <checkbox>
  • must-revalidate <checkbox>
  • proxy-revalidate <checkbox>
  • no-store <checkbox>
  • private <checkbox>
  • public <checkbox>
  • must-understand <checkbox>
  • no-transform <checkbox>
  • immutable <checkbox>

Instructs caching behavior for page responses, including directives like no-cache or max-age.

mdn web docs

(For files requests) Expires
  • seconds <integer>

Specifies the expiration date and time for file responses, after which they are considered stale.

mdn web docs

(For page requests) Age
  • age <integer>

Indicates the time in seconds since the response was fetched from the origin server or cache.

mdn web docs

(For page requests) Cache-Control
  • max-age <integer>
  • s-maxage <integer>
  • stale-while-revalidate <integer>
  • stale-if-error <integer>
  • no-cache <checkbox>
  • must-revalidate <checkbox>
  • proxy-revalidate <checkbox>
  • no-store <checkbox>
  • private <checkbox>
  • public <checkbox>
  • must-understand <checkbox>
  • no-transform <checkbox>
  • immutable <checkbox>

Instructs caching behavior for page responses, including directives like no-cache or max-age.

mdn web docs

(For page requests) Expires
  • seconds <integer>

Specifies the expiration date and time for file responses, after which they are considered stale.

mdn web docs

Permissions-Policy
  • accelerometer <text>
  • ambient-light-sensor <text>
  • autoplay <text>
  • battery <text>
  • camera <text>
  • display-capture <text>
  • document-domain <text>
  • encrypted-media <text>
  • execution-while-not-rendered <text>
  • execution-while-out-of-viewport <text>
  • fullscreen <text>
  • gamepad <text>
  • geolocation <text>
  • gyroscope <text>
  • layout-animations <text>
  • legacy-image-formats <text>
  • magnetometer <text>
  • microphone <text>
  • midi <text>
  • navigation-override <text>
  • oversized-images <text>
  • payment <text>
  • picture-in-picture <text>
  • publickey-credentials-get <text>
  • speaker-selection <text>
  • sync-xhr <text>
  • unoptimized-images <text>
  • unsized-media <text>
  • usb <text>
  • screen-wake-lock <text>
  • web-share <text>
  • xr-spatial-tracking <text>

Controls permissions for APIs and browser features, such as geolocation or camera access.

mdn web docs

Referrer-Policy
  • no-referrer <checkbox>
  • no-referrer-when-downgrade <checkbox>
  • origin <checkbox>
  • origin-when-cross-origin <checkbox>
  • same-origin <checkbox>
  • strict-origin <checkbox>
  • strict-origin-when-cross-origin <checkbox>
  • unsafe-url <checkbox>

Governs how much referrer information is included with requests to other sites.

mdn web docs

Strict-Transport-Security
  • max-age <integer>
    • 63072000 (default)
  • preload <checkbox>
    • false (default)
  • includeSubDomains <checkbox>
    • false (default)

Enforces secure connections to the server by specifying a period during which browsers should only access the server using HTTPS.

mdn web docs

X-Content-Type-Options
  • nosniff <checkbox>
    • false (default)

Prevents browsers from interpreting files as a different MIME type than what is specified.

mdn web docs

X-Frame-Options
  • value <dropdown>
    • `empty` (default)
    • DENY
    • SAMEORIGIN

Protects against clickjacking by controlling whether a page can be displayed in a frame.

This header has been deprecated from browser specifications and is superseded by the frame-ancestors directive in a Content-Security-Policy header.

mdn web docs

General Use Example

Access-Control-Allow-Origin: https://yourwebsite.com
Content-Security-Policy: default-src 'self'; img-src 'self' https:; script-src 'self' 'unsafe-inline' https:; style-src 'self' 'unsafe-inline' https:; font-src 'self' https:; connect-src 'self' https:; frame-ancestors 'none'
Cache-Control: no-store, must-revalidate
Expires: 0
Permissions-Policy: geolocation=(), camera=(), microphone=(), payment=()
Referrer-Policy: strict-origin-when-cross-origin
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Content-Type-Options: nosniff

These settings are a suggestion only, based on a simple 'brochure-style' website with a focus on security. Any HTTP Header configurations can effect your websites performance, security and general functionality. Please research and understand any changes you make to each header so you are aware of the impact that they may have for your use case.
Check the External Resources section for some helpful places to get started.

Explanation:

Access-Control-Allow-Origin: Allows resources to be accessed only from your domain.

Content-Security-Policy: Restricts content sources, disallows unsafe-inline (if not needed), and provides a robust policy to mitigate XSS, data injection attacks and prevents the page from being displayed in a frame, protecting against clickjacking attacks.

Cache-Control: Prevents storing responses, ensuring users always receive the latest version.

Expires: Indicates that the content is immediately considered stale.

Permissions-Policy: Disables access to various potentially sensitive features like geolocation, camera, microphone, and payment.

Referrer-Policy: Sends the origin, path, and query string only when the request is made from the same site.

Strict-Transport-Security: Enforces secure connections for one year, including subdomains, and suggests preload listing.

X-Content-Type-Options: Prevents MIME type sniffing, ensuring content types are correctly interpreted.

Logic

For ANY URL request, to any page or file (that is NOT related to the admin files and requests):

  • add configured headers to the response
    • if header is enabled AND there is at least one not empty value
      • add header with the selected options
        • checkbox options:
          if true; add option to the header, else; ignore this option
        • text options:
          if NOT empty string; add option with the value to the header, else; ignore this option
        • dropdown options:
          if NOT empty option selected; add option with the selected value to the header, else; ignore this option

Related Articles

  • Site Settings & Management
    Domains
    The WebinOne Domain settings allow you to control default domain, landing pages, domain authentication for system emails along with country and cultural settings like number and currency formatting.
  • Site Settings & Management
    Site Globals
    Site Globals, under ‘Settings’, is where you can set up customised data points for your...
  • Site Settings & Management
    System Pages
    System Pages, under 'Settings', is where you’ll find all those pages required by certain system...
  • Site Settings & Management
    Payment Settings
    Integrate various payment gateways, for multiple countries and currencies, into WebinOne for form payments, subscriptions and eCommerce workflows.
  • Site Settings & Management
    Admin Users
    Admin Users, found under ‘Settings’, is where you can control administrator access to your website management and content.
  • Site Settings & Management
    Admin User Roles
    Admin User Roles provide fine-grain control over permissions for users granted with admin access.
  • Site Settings & Management
    Admin Menu Configurator
    Customise the way admin users find and access site content and settings by configuring the admin menu with your own structure, labels, icons and links.
  • Site Settings & Management
    URL Redirects
    URL Redirects, found under ‘Settings’, enable you to set up 301 permanent redirects from a prior, or constructed, URL to another URL (within your domain/s).
  • Site Settings & Management
    Sitemap.xml / Robots.txt
    The Sitemap feature allows you to manage the sitemap.xml content, which lists your site’s important pages/items, their priority and last modified date, in XML format, for SEO and site indexing purposes.
  • Site Settings & Management
    SEO
    Configuring these settings will help search engines and accessibility systems better understand the context of your website.
  • Site Settings & Management
    Misc Settings
    These various site-wide settings allow you to further control and customise the way your website functions, both in the admin and on the front-end.
  • Site Settings & Management
    Frontend API Restrictions
    Enable access to various frontend API endpoints and individually configure user permissions and access rules.
  • WebinOne Portal
    Trial Sites
    Trial Sites are your WebinOne development environments for starting new site projects, before you publish to a custom domain name.
  • WebinOne Portal
    Live Sites
    Live sites are your published WebinOne instances that have been activated, have commenced a billing subscription and/or have a custom domain name assigned to them.
  • About WebinOne
    File System
    Most of the content management related assets and files used in WebinOne are accessible in the file system either via the admin File Manager or via FTP.
  • About WebinOne
    Trial Sites vs Live Sites
    Site Performance & Resources Currently, there are no differences in performance or resources limits between...
  • OpenAPI (Admin)
    Site Globals API
    Create, Retrieve, Update and Delete Site Global Groups and their Properties via the public API endpoint using "where" filtering.
  • OpenAPI (Admin)
    Categories API
    Create, Retrieve, Update and Delete Categories via the public API endpoint using "where" filtering.
  • eCommerce
    Settings
    These various eCommerce settings allow you to further control and customise the way your website functions, both in the admin and on the front-end, in terms of eCommerce functionality.
  • Site Settings & Management
    Empty Cache
    Clear the server-side cache for generated ‘ImageProcessor’ images throughout the site.
  • Site Settings & Management
    FTP access
    WebinOne allows you to access site files through secure SFTP. In this article you will learn how to connect to your WebinOne website via SFTP as a reseller and/or admin user, as well as learn about WebinOne's file structure.
  • Website Templates
    *Bikes
  • Website Templates
    *Clothing Store
  • Website Templates
    Coffee
  • Website Templates
    *Coworking
  • Website Templates
    Digital Agency
  • Extensions
    Direct Billing
    Allow your customer to pay WebinOne directly for their site plan from the admin, as well as activating the site and assign their primary domain name (if the site is still in Trial Site mode).
  • Website Templates
    Furniture
  • Extensions
    Granular White-labeling
    An addition to the regular white-labeling feature, this extension provides branding controls on an individual site, allowing you to customise a site’s brand logo and login screen separately to your overall white-labeling settings.
  • Website Templates
    *Hair Salon
  • Extensions
    Import/Export of Modules
    Quickly and easily replicate (or back-up) a complete Custom Module configuration via import/export, including; Settings, Properties, Layouts and Table setup.
  • Website Templates
    Max
  • Extensions
    Website Backup
    Website Backup allows you to create and restore full site backups, including the site database, FTP files and admin configurations, from manual backups as well as a custom automatic schedule.

External Resources

Please let us know if you have any other contributions or know of any helpful resources you'd like to see added here.

Questions?

We are always happy to help with any questions you may have.
Visit the Treepl Forum for community support and to search previously asked questions or send us a message at support@webinone.com and we will consult you as soon as possible.