List of useful HTTP headers

Field name

Description

Example

<a href="http://tools.ietf.org/html/rfc6797">Strict-Transport-Security</a>

Enforces secure (HTTP over SSL/TLS) connections to the server. This reduces impact of bugs in web applications leaking session data through cookies and external links.

<code>Strict-Transport-Security: max-age=16070400; includeSubDomains</code>

<a href="http://tools.ietf.org/html/draft-ietf-websec-frame-options-00">Frame-Options</a>

deny - no rendering within a frame, sameorigin - no rendering if origin mismatch,

allow-from: URL - allow rendering frame if loaded from URL

<code>X-Frame-Options: deny</code>

<a href="http://blogs.msdn.com/b/ie/archive/2008/07/02/ie8-security-part-iv-the-xss-filter.aspx">X-XSS-Protection</a>

<code>X-XSS-Protection: 1; mode=block</code>

<a href="http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx">X-Content-Type-Options</a>

The only defined value, "nosniff", prevents Internet Explorer and Google Chrom from MIME-sniffing a response away from the declared content-type. This also applies to

<code>X-Content-Type-Options: nosniff</code>

<a href="http://www.w3.org/TR/CSP/">X-Content-Security-Policy, X-WebKit-CSP</a>

renders pages (e.g. inline JavaScript disabled by default and must be explicitly allowed in policy). CSP prevents a wide range of attacks, including

<code>X-WebKit-CSP: default-src 'self'</code>

Below examples present selected HTTP headers as set by popular websites to demonstrate that they are indeed being used in production services: