reference
HTTP security headers, explained and configured.
The response headers that harden a web application - what each one does, the attacks it mitigates, and how to set it correctly - cross-linked to the vulnerabilities they defend against.
Content-Security-Policy
Controls which resources a page may load and execute, limiting the impact of injection.
Strict-Transport-Security
Forces browsers to use HTTPS for a domain, preventing protocol downgrade and stripping.
X-Content-Type-Options
Stops browsers from MIME-sniffing responses away from the declared Content-Type.
X-Frame-Options
Controls whether a page may be embedded in a frame, preventing clickjacking.
Referrer-Policy
Controls how much referrer information is sent with requests, preventing leakage.
Permissions-Policy
Enables or disables browser features (camera, geolocation, etc.) per origin.
Access-Control-Allow-Origin
Declares which origins may read cross-origin responses under CORS.
Set-Cookie (security attributes)
Cookie attributes - HttpOnly, Secure, SameSite - that protect session tokens.
Cache-Control
Controls caching of responses, preventing sensitive data from being stored.
Cross-Origin-Resource-Policy
Restricts which origins may embed a resource, mitigating cross-origin leaks.
Cross-Origin-Opener-Policy
Isolates a page's browsing context from cross-origin windows.
Content-Disposition
Forces downloads instead of inline rendering, reducing content-injection risk.