Security: Usefull HTTP Response Headers

Here is a list of usefull HTTP headers for responses you should know about:

  • X-Content-Type-Options

When set to „nosniff„, this header will prevent browsers from MIME-sniffing a response away from the declared content-type. While this header is more relevant for „normal“ web applications (it protects against some types of drive-by-downloads), it does not hurt to add it to your REST service, if


X-Content-Type-Options: nosniff
  • X-Frame-Options

Provides Clickjacking protection. Allowed values are:

  • deny no rendering within a frame
  • sameorigin no rendering if origin mismatch
  • allow-from: <DOMAIN> allow rendering if framed by frame loaded from DOMAIN
X-Frame-Options: deny
  • X-XSS-Protection

Re-enables cross side scripting protection in IE and Chrome if user has disabled it.

X-XSS-Protection: 1; mode=block
  • Strict-Transport-Security

Enables HTTP Strict Transport Security (HSTS). This prevents browsers from using an insecure connection to a server for a given time (in seconds). Additionally, you can include all subdomains:

Strict-Transport-Security: max-age=16070400; includeSubDomains
Dieser Beitrag wurde unter Allgemein, Security abgelegt und mit verschlagwortet. Setze ein Lesezeichen auf den Permalink.

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert.