davesag/headers.md

Last active September 21, 2020 07:52

Star () You must be signed in to star a gist
Fork () You must be signed in to fork a gist

Learn more about clone URLs
Clone this repository at <script src="https://gist.github.com/davesag/48eff3008d0ac710b989.js"></script>
Save davesag/48eff3008d0ac710b989 to your computer and use it in GitHub Desktop.

Download ZIP

Ross's standard server security headers

Raw

Dr Ross Williams' collection of security related HTTP headers

Reject all HTTP connections. Convert them to HTTPS or generate an error.

See http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
See http://tools.ietf.org/html/rfc6797
31536000 is about one year.

header("Strict-Transport-Security","max-age=31536000; includeSubDomains")

Do not allow the web page to be displayed within a frame of someone else's web page.

Note: If you replace deny with sameorigin, it will allow framing from the same site.

header("X-Frame-Options","deny")

Prevent Cross-Site Scripting.

That is: Don't access anything on the web page not pointing to your page's domain.

header("X-XSS-Protection","1; mode=block")

Prevents clients from inferring the type of files uploaded by users.

header("X-Content-Type-Options","nosniff")

Prevents the browser from loading scripts not sourced from the main website.

See http://ibuildings.nl/blog/2013/03/4-http-security-headers-you-should-always-be-using

header("Content-Security-Policy","script-src 'self'")

Disallow inline Javascript

This is enforced by default if writing a Chrome Extension but in general requires more consideration before activating.

DISABLED header("X-WebKit-CSP","default-src 'self'")

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment