Contributors:
HTTP Header Settings
Fine-tune your website’s configuration around security, performance and usability (eg; caching and content policies) with custom control over a select range of HTTP Headers.
Supported HTTP Headers
The currently supported HTTP Headers are focused around security and performance settings and are described below.
To configure a header, check the ‘Enabled’ checkbox against the desired HTTP Header and expand the header to reveal its options.
Ensure you save any changes to the header settings, or enabled status, by clicking the ’Save’ button at the bottom of the page.
Review your HTTP Header configuration with this online reporting tool: securityheaders.com.
- origin <text>
*(default)
Specifies which domains can access resources on the server, enabling cross-origin requests (CORS).
- child-src <text>
- connect-src <text>
- default-src <text>
- font-src <text>
- frame-src <text>
- img-src <text>
- manifest-src <text>
- media-src <text>
- object-src <text>
- prefetch-src <text>
- script-src <text>
- script-src-elem <text>
- script-src-attr <text>
- style-src <text>
- style-src-elem <text>
- style-src-attr <text>
- worker-src <text>
- base-uri <text>
- sandbox <text>
- form-action <text>
- frame-ancestors <text>
- navigate-to <text>
- report-uri <text>
- report-to <text>
- require-sri-for <text>
- require-trusted-types-for <text>
- trusted-types <text>
- upgrade-insecure-requests <text>
Defines security policies for content, mitigating risks of cross-site scripting (XSS) and other attacks.
- age <integer>
Indicates the time in seconds since the response was fetched from the origin server or cache.
- max-age <integer>
- s-maxage <integer>
- stale-while-revalidate <integer>
- stale-if-error <integer>
- no-cache <checkbox>
- must-revalidate <checkbox>
- proxy-revalidate <checkbox>
- no-store <checkbox>
- private <checkbox>
- public <checkbox>
- must-understand <checkbox>
- no-transform <checkbox>
- immutable <checkbox>
Instructs caching behavior for page responses, including directives like no-cache or max-age.
- seconds <integer>
Specifies the expiration date and time for file responses, after which they are considered stale.
- age <integer>
Indicates the time in seconds since the response was fetched from the origin server or cache.
- max-age <integer>
- s-maxage <integer>
- stale-while-revalidate <integer>
- stale-if-error <integer>
- no-cache <checkbox>
- must-revalidate <checkbox>
- proxy-revalidate <checkbox>
- no-store <checkbox>
- private <checkbox>
- public <checkbox>
- must-understand <checkbox>
- no-transform <checkbox>
- immutable <checkbox>
Instructs caching behavior for page responses, including directives like no-cache or max-age.
- seconds <integer>
Specifies the expiration date and time for file responses, after which they are considered stale.
- accelerometer <text>
- ambient-light-sensor <text>
- autoplay <text>
- battery <text>
- camera <text>
- display-capture <text>
- document-domain <text>
- encrypted-media <text>
- execution-while-not-rendered <text>
- execution-while-out-of-viewport <text>
- fullscreen <text>
- gamepad <text>
- geolocation <text>
- gyroscope <text>
- layout-animations <text>
- legacy-image-formats <text>
- magnetometer <text>
- microphone <text>
- midi <text>
- navigation-override <text>
- oversized-images <text>
- payment <text>
- picture-in-picture <text>
- publickey-credentials-get <text>
- speaker-selection <text>
- sync-xhr <text>
- unoptimized-images <text>
- unsized-media <text>
- usb <text>
- screen-wake-lock <text>
- web-share <text>
- xr-spatial-tracking <text>
Controls permissions for APIs and browser features, such as geolocation or camera access.
- no-referrer <checkbox>
- no-referrer-when-downgrade <checkbox>
- origin <checkbox>
- origin-when-cross-origin <checkbox>
- same-origin <checkbox>
- strict-origin <checkbox>
- strict-origin-when-cross-origin <checkbox>
- unsafe-url <checkbox>
Governs how much referrer information is included with requests to other sites.
- max-age <integer>
63072000(default)
- preload <checkbox>
false(default)
- includeSubDomains <checkbox>
false(default)
Enforces secure connections to the server by specifying a period during which browsers should only access the server using HTTPS.
- nosniff <checkbox>
false(default)
Prevents browsers from interpreting files as a different MIME type than what is specified.
- value <dropdown>
`empty`(default)DENYSAMEORIGIN
Protects against clickjacking by controlling whether a page can be displayed in a frame.
This header has been deprecated from browser specifications and is superseded by the frame-ancestors directive in a Content-Security-Policy header.
General Use Example
Access-Control-Allow-Origin: https://yourwebsite.com
Content-Security-Policy: default-src 'self'; img-src 'self' https:; script-src 'self' 'unsafe-inline' https:; style-src 'self' 'unsafe-inline' https:; font-src 'self' https:; connect-src 'self' https:; frame-ancestors 'none'
Cache-Control: no-store, must-revalidate
Expires: 0
Permissions-Policy: geolocation=(), camera=(), microphone=(), payment=()
Referrer-Policy: strict-origin-when-cross-origin
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Content-Type-Options: nosniff
These settings are a suggestion only, based on a simple 'brochure-style' website with a focus on security. Any HTTP Header configurations can effect your websites performance, security and general functionality. Please research and understand any changes you make to each header so you are aware of the impact that they may have for your use case.
Check the External Resources section for some helpful places to get started.
Explanation:
Access-Control-Allow-Origin: Allows resources to be accessed only from your domain.
Content-Security-Policy: Restricts content sources, disallows unsafe-inline (if not needed), and provides a robust policy to mitigate XSS, data injection attacks and prevents the page from being displayed in a frame, protecting against clickjacking attacks.
Cache-Control: Prevents storing responses, ensuring users always receive the latest version.
Expires: Indicates that the content is immediately considered stale.
Permissions-Policy: Disables access to various potentially sensitive features like geolocation, camera, microphone, and payment.
Referrer-Policy: Sends the origin, path, and query string only when the request is made from the same site.
Strict-Transport-Security: Enforces secure connections for one year, including subdomains, and suggests preload listing.
X-Content-Type-Options: Prevents MIME type sniffing, ensuring content types are correctly interpreted.
Logic
For ANY URL request, to any page or file (that is NOT related to the admin files and requests):
- add configured headers to the response
- if header is enabled AND there is at least one not empty value
- add header with the selected options
checkboxoptions:
if true; add option to the header, else; ignore this optiontextoptions:
if NOT empty string; add option with the value to the header, else; ignore this optiondropdownoptions:
if NOT empty option selected; add option with the selected value to the header, else; ignore this option
- add header with the selected options
- if header is enabled AND there is at least one not empty value