HTTP security headers: X-Frame-Options, X-Content-Type-Options and the rest

What are HTTP security headers?

HTTP security headers are instructions your server sends to the browser with every response. They tell the browser how to behave against certain threats. They cost almost nothing to implement (a few lines of configuration) but block entire categories of attacks.

X-Frame-Options: protection against clickjacking

Clickjacking is an attack where a malicious site embeds your site in an <iframe> (a transparent window overlaid on its own page), tricking visitors who think they are clicking on the malicious site while actually interacting with yours. This can be used to validate transactions, accept permissions, or trigger actions without the user's knowledge.

Header always set X-Frame-Options "SAMEORIGIN"

SAMEORIGIN only allows iframes from the same domain. DENY forbids them entirely.

X-Content-Type-Options: block MIME sniffing

MIME sniffing (MIME = Multipurpose Internet Mail Extensions, the web's file type system) is the browser behaviour of guessing a file's type by analysing its content, even if the server declares a different type. An attacker can exploit this heuristic by disguising a JavaScript script as an image: the browser executes it anyway.

Header always set X-Content-Type-Options "nosniff"

Referrer-Policy: protect privacy

The Referrer is the URL of the page from which the user clicked. Without control, this URL (which may contain sensitive parameters like a session token) is transmitted to the destination site. Referrer-Policy precisely controls what is shared.

Header always set Referrer-Policy "strict-origin-when-cross-origin"

Permissions-Policy: limit access to sensitive APIs

This header (formerly Feature-Policy) controls which browser APIs (programming interfaces) are accessible on your site and in third-party resources (iframes, scripts) it loads. For example, it can disable access to the camera, microphone or geolocation for all third-party scripts.

Header always set Permissions-Policy "camera=(), microphone=(), geolocation=()"

Full configuration on Apache

<IfModule mod_headers.c>
  Header always set X-Frame-Options "SAMEORIGIN"
  Header always set X-Content-Type-Options "nosniff"
  Header always set Referrer-Policy "strict-origin-when-cross-origin"
  Header always set Permissions-Policy "camera=(), microphone=(), geolocation=()"
</IfModule>

Check your headers

TheSiteFuse verifies the presence and value of each security header on your site. Audit for free to identify missing headers and fix them.