<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=1354242&amp;fmt=gif">

A Guide to HTTP Security Headers

What Are HTTP Security Headers?

HTTP Security Headers establish rules for browsers that are connecting to a web page. Maintaining best practices for HTTP Security Headers provides a more secure browsing experience for users and your website. Modification to these headers could impact the functionality of your website. Ensure that all changes are tested before moving to production. While many headers have straightforward recommended values, there are several (Content-Security-Policy and Feature-Policy) that are configured specific to your website.

Types of HTTP Security Headers:


Restricts loading of resources (e.g. JavaScript) from untrusted sources. This control helps defend against some web-based attacks.
  • Recommended Value: Example value (note this must be customized to what scripts sources will be allowed to run on your website)

    • default-src 'self' allowedsite1.com allowedsite2.com allowedsite3.com;

    • Information on additional configuration options is available here.


Restricts the loading of resources from other domains different from your website.
  • Recommended Value: none


Clears browsing data.
  • Recommended Value: "cache","cookies","storage"


Prevents some web-based attacks.
  • Recommended Value: require-corp


Prevents some web-based attacks.
  • Recommended Value: same-origin


Prevents some web-based attacks.
  • Recommended Value: same-origin


Prevents information disclosure through browser cache.
  • Recommended Value: no-store, max-age=0


Enforce connections over encrypted channels.
  • Recommended Value: max-age=31536000 ; includeSubDomains


Prevents some web-based attacks.
  • Recommended Value: deny


Improves likelihood of trusted connections.
  • Recommended Value: Note that this security header was deprecated in June 2021 and is being phased out. The following is an example configuration that could be used (be sure to modify the report-uri):

    • Expect-CT: max-age=86400, enforce, report-uri="https://foo.example/report"


Prevents some web-based attacks.
  • Recommended Value: nosniff


Details what features (e.g. webcam / microphone) should be enabled or disabled for a website.
  • Recommended Value: Note that this security header is in the process of being deprecated and will be split into Permissions-Policy and Document-Policy. Refer to his link for features that are present in your website and explicitly allow them. Alternatively, select features that should not be allowed.

    • Feature-Policy: <feature> <allow list origin(s)>


Omits referrer information being sent in HTTP requests. This will prevent websites from seeing that users visited them from your website.
  • Recommended Value: no-referrer





Recent Articles

Handling Cyber Objections: 'Cyber Insurance Is Too Expensive'

Clients may be quick to object to the cost of cyber insurance, but we'll unpack the real 'bang for your buck' argument to cyber coverage.

CDK Global Incident | June 2024

A popular auto dealer software is experiencing a cyber incident. Here's what you need to know.

Cyber and Construction: Laying Groundwork to Combat Digital Threats

The construction sector is facing urgent cybersecurity challenges. Learn more about unique risks and how creative underwriting solutions can help.