IDORSSRFAUTH BYPASSJWT FORGERYRACE CONDITIONXXEBROKEN OBJECT-LEVEL AUTHPRIVILEGE ESCALATIONMASS ASSIGNMENTGRAPHQL INTROSPECTION ABUSEIDORSSRFAUTH BYPASSJWT FORGERYRACE CONDITIONXXEBROKEN OBJECT-LEVEL AUTHPRIVILEGE ESCALATIONMASS ASSIGNMENTGRAPHQL INTROSPECTION ABUSE
Impactr Logoimpactr
FeaturesHow it worksEvidencePricingLearnCompare
  1. Home
  2. HTTP Security Headers

reference

HTTP security headers, explained and configured.

The response headers that harden a web application - what each one does, the attacks it mitigates, and how to set it correctly - cross-linked to the vulnerabilities they defend against.

Content-Security-Policy

Controls which resources a page may load and execute, limiting the impact of injection.

Strict-Transport-Security

Forces browsers to use HTTPS for a domain, preventing protocol downgrade and stripping.

X-Content-Type-Options

Stops browsers from MIME-sniffing responses away from the declared Content-Type.

X-Frame-Options

Controls whether a page may be embedded in a frame, preventing clickjacking.

Referrer-Policy

Controls how much referrer information is sent with requests, preventing leakage.

Permissions-Policy

Enables or disables browser features (camera, geolocation, etc.) per origin.

Access-Control-Allow-Origin

Declares which origins may read cross-origin responses under CORS.

Set-Cookie (security attributes)

Cookie attributes - HttpOnly, Secure, SameSite - that protect session tokens.

Cache-Control

Controls caching of responses, preventing sensitive data from being stored.

Cross-Origin-Resource-Policy

Restricts which origins may embed a resource, mitigating cross-origin leaks.

Cross-Origin-Opener-Policy

Isolates a page's browsing context from cross-origin windows.

Content-Disposition

Forces downloads instead of inline rendering, reducing content-injection risk.

Impactr Logoimpactr

Built by hackers, for the code you ship. Autonomous AI penetration testing for modern web apps and APIs.

© 2026 Impactr

Product

FeaturesCoverageUse casesEvidencePricingWaitlist

Resources

VulnerabilitiesGuidesComparisonsGlossaryCWE databaseBy industryBy languageHTTP status codesSecurity headers

Company

ContactTwitterLinkedInGitHub