Category
Security Headers
HTTP response headers that harden your site against common attacks.
Category
HTTP response headers that harden your site against common attacks.
Security headers are powerful but easy to misconfigure. A policy that looks present may be doing nothing — or quietly breaking pages. This…
CSP lets you declare trusted sources for each type of content. The browser blocks anything outside that policy, dramatically reducing the i…
COEP ensures a document only loads cross-origin resources that have explicitly allowed themselves to be embedded. Together with COOP it cre…
COOP lets a page sever the JavaScript reference between itself and other windows unless they share the same origin. This isolation blocks a…
CORP is set on individual resources (images, scripts, JSON) to say which origins are allowed to embed them. It reduces resource theft and c…
The Strict-Transport-Security header instructs browsers to remember that your site is HTTPS-only for a set duration. This closes the small…
A small set of response headers — HSTS, Content-Security-Policy, X-Content-Type-Options, X-Frame-Options, Referrer-Policy and Permissions-P…
Permissions-Policy declares which powerful browser capabilities your pages — and any iframes they embed — are allowed to use. Turning off u…
When a visitor navigates from your site to another, the browser can send your page's full URL as the referrer. Referrer-Policy limits this…
Without this header, browsers may ignore your declared Content-Type and infer their own — occasionally treating an image or text file as ex…
Clickjacking loads your real site inside an invisible frame on an attacker's page so users unknowingly click your buttons. X-Frame-Options…