Change Log

  • 24-Jan-2025 | v6.11.3 | Updated `X-Frame-Options` header with note about being depreciated.
  • 22-Jan-2025 | v6.11.3 | All new article

Contributors:

Adam Wilson - Logo PogoRusty Hatch - Pearsite

HTTP Header Settings

Fine-tune your website’s configuration around security, performance and usability (eg; caching and content policies) with custom control over a select range of HTTP Headers.

Supported HTTP Headers

The currently supported HTTP Headers are focused around security and performance settings and are described below.

To configure a header, check the ‘Enabled’ checkbox against the desired HTTP Header and expand the header to reveal its options.

Ensure you save any changes to the header settings, or enabled status, by clicking the ’Save’ button at the bottom of the page.

Review your HTTP Header configuration with this online reporting tool: securityheaders.com.

Setting
Options
Description / Specs
Access-Control-Allow-Origin
  • origin <text>
    • * (default)

Specifies which domains can access resources on the server, enabling cross-origin requests (CORS).

mdn web docs

Content-Security-Policy
  • child-src <text>
  • connect-src <text>
  • default-src <text>
  • font-src <text>
  • frame-src <text>
  • img-src <text>
  • manifest-src <text>
  • media-src <text>
  • object-src <text>
  • prefetch-src <text>
  • script-src <text>
  • script-src-elem <text>
  • script-src-attr <text>
  • style-src <text>
  • style-src-elem <text>
  • style-src-attr <text>
  • worker-src <text>
  • base-uri <text>
  • sandbox <text>
  • form-action <text>
  • frame-ancestors <text>
  • navigate-to <text>
  • report-uri <text>
  • report-to <text>
  • require-sri-for <text>
  • require-trusted-types-for <text>
  • trusted-types <text>
  • upgrade-insecure-requests <text>

Defines security policies for content, mitigating risks of cross-site scripting (XSS) and other attacks.

mdn web docs

(For files requests) Age
  • age <integer>

Indicates the time in seconds since the response was fetched from the origin server or cache.

mdn web docs

(For files requests) Cache-Control
  • max-age <integer>
  • s-maxage <integer>
  • stale-while-revalidate <integer>
  • stale-if-error <integer>

  • no-cache <checkbox>
  • must-revalidate <checkbox>
  • proxy-revalidate <checkbox>
  • no-store <checkbox>
  • private <checkbox>
  • public <checkbox>
  • must-understand <checkbox>
  • no-transform <checkbox>
  • immutable <checkbox>

Instructs caching behavior for page responses, including directives like no-cache or max-age.

mdn web docs

(For files requests) Expires
  • seconds <integer>

Specifies the expiration date and time for file responses, after which they are considered stale.

mdn web docs

(For page requests) Age
  • age <integer>

Indicates the time in seconds since the response was fetched from the origin server or cache.

mdn web docs

(For page requests) Cache-Control
  • max-age <integer>
  • s-maxage <integer>
  • stale-while-revalidate <integer>
  • stale-if-error <integer>

  • no-cache <checkbox>
  • must-revalidate <checkbox>
  • proxy-revalidate <checkbox>
  • no-store <checkbox>
  • private <checkbox>
  • public <checkbox>
  • must-understand <checkbox>
  • no-transform <checkbox>
  • immutable <checkbox>

Instructs caching behavior for page responses, including directives like no-cache or max-age.

mdn web docs

(For page requests) Expires
  • seconds <integer>

Specifies the expiration date and time for file responses, after which they are considered stale.

mdn web docs

Permissions-Policy
  • accelerometer <text>
  • ambient-light-sensor <text>
  • autoplay <text>
  • battery <text>
  • camera <text>
  • display-capture <text>
  • document-domain <text>
  • encrypted-media <text>
  • execution-while-not-rendered <text>
  • execution-while-out-of-viewport <text>
  • fullscreen <text>
  • gamepad <text>
  • geolocation <text>
  • gyroscope <text>
  • layout-animations <text>
  • legacy-image-formats <text>
  • magnetometer <text>
  • microphone <text>
  • midi <text>
  • navigation-override <text>
  • oversized-images <text>
  • payment <text>
  • picture-in-picture <text>
  • publickey-credentials-get <text>
  • speaker-selection <text>
  • sync-xhr <text>
  • unoptimized-images <text>
  • unsized-media <text>
  • usb <text>
  • screen-wake-lock <text>
  • web-share <text>
  • xr-spatial-tracking <text>

Controls permissions for APIs and browser features, such as geolocation or camera access.

mdn web docs

Referrer-Policy
  • no-referrer <checkbox>
  • no-referrer-when-downgrade <checkbox>
  • origin <checkbox>
  • origin-when-cross-origin <checkbox>
  • same-origin <checkbox>
  • strict-origin <checkbox>
  • strict-origin-when-cross-origin <checkbox>
  • unsafe-url <checkbox>

Governs how much referrer information is included with requests to other sites.

mdn web docs

Strict-Transport-Security
  • max-age <integer>
    • 63072000 (default)
  • preload <checkbox>
    • false (default)
  • includeSubDomains <checkbox>
    • false (default)

Enforces secure connections to the server by specifying a period during which browsers should only access the server using HTTPS.

mdn web docs

X-Content-Type-Options
  • nosniff <checkbox>
    • false (default)

Prevents browsers from interpreting files as a different MIME type than what is specified.

mdn web docs

X-Frame-Options
  • value <dropdown>
    • `empty` (default)
    • DENY
    • SAMEORIGIN

Protects against clickjacking by controlling whether a page can be displayed in a frame.

This header has been deprecated from browser specifications and is superseded by the frame-ancestors directive in a Content-Security-Policy header.

mdn web docs

General Use Example

Access-Control-Allow-Origin: https://yourwebsite.com
Content-Security-Policy: default-src 'self'; img-src 'self' https:; script-src 'self' 'unsafe-inline' https:; style-src 'self' 'unsafe-inline' https:; font-src 'self' https:; connect-src 'self' https:; frame-ancestors 'none'
Cache-Control: no-store, must-revalidate
Expires: 0
Permissions-Policy: geolocation=(), camera=(), microphone=(), payment=()
Referrer-Policy: strict-origin-when-cross-origin
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Content-Type-Options: nosniff

These settings are a suggestion only, based on a simple 'brochure-style' website with a focus on security. Any HTTP Header configurations can effect your websites performance, security and general functionality. Please research and understand any changes you make to each header so you are aware of the impact that they may have for your use case.
Check the External Resources section for some helpful places to get started.

Explanation:

Access-Control-Allow-Origin: Allows resources to be accessed only from your domain.

Content-Security-Policy: Restricts content sources, disallows unsafe-inline (if not needed), and provides a robust policy to mitigate XSS, data injection attacks and prevents the page from being displayed in a frame, protecting against clickjacking attacks.

Cache-Control: Prevents storing responses, ensuring users always receive the latest version.

Expires: Indicates that the content is immediately considered stale.

Permissions-Policy: Disables access to various potentially sensitive features like geolocation, camera, microphone, and payment.

Referrer-Policy: Sends the origin, path, and query string only when the request is made from the same site.

Strict-Transport-Security: Enforces secure connections for one year, including subdomains, and suggests preload listing.

X-Content-Type-Options: Prevents MIME type sniffing, ensuring content types are correctly interpreted.

Logic

For ANY URL request, to any page or file (that is NOT related to the admin files and requests):

  • add configured headers to the response
    • if header is enabled AND there is at least one not empty value
      • add header with the selected options
        • checkbox options:
          if true; add option to the header, else; ignore this option
        • text options:
          if NOT empty string; add option with the value to the header, else; ignore this option
        • dropdown options:
          if NOT empty option selected; add option with the selected value to the header, else; ignore this option