HTTP Security Headers are key-value pairs returned by your web server that instruct browsers how to behave when handling your site's content. They're essential for protecting against common security vulnerabilities.
Learn more from OWASP's HTTP Headers Cheat Sheet
CORS is a mechanism that allows web pages from one domain to securely request data from another domain. It controls access through HTTP headers like Access-Control-Allow-Origin.
Example:
Cache-Control defines caching policies for browsers and proxy servers. It can prevent caching sensitive data or specify cache duration.
Example:
HSTS forces browsers to communicate with the server only via HTTPS, preventing SSL Stripping attacks.
Example:
X-Frame-Options prevents your website from being loaded within an iframe on another website, protecting against clickjacking attacks.
Example:
CSP protects against XSS and code injection attacks by specifying which sources content can be loaded from.
Example:
X-Content-Type-Options prevents browsers from MIME sniffing and forces them to use the content type specified by the server.
Example:
Referrer-Policy controls how much referrer information is shared when navigating to other websites.
Example:
Permissions-Policy controls which browser features and APIs can be used in your website and embedded content.
Example:
XSS (Cross-Site Scripting):Mitigated by CSP and X-XSS-Protection
Clickjacking:Prevented by X-Frame-Options
MIME Sniffing:Blocked by X-Content-Type-Options
SSL Stripping:Protected by HSTS
Man-in-the-Middle Attacks:Prevented by HTTPS enforcement and certificate pinning