Security Headers
Thank you for visiting OWASP.org. We have migrated our community to a new web platform and regretably the content for this page needed to be programmatically ported from its previous wiki page. There’s still some work to be done.
This is an example of a Project or Chapter Page.
HTTP headers which should be included by default. Methods for modifying or removing the headers for specific instances should be provided, but by default there are secure settings which should be enabled unless there are other overriding concerns.
- X-Frame-Options: SAMEORIGIN (for more info)
- X-XSS-Protection: 0 (for more info)
- X-Content-Type-Options: nosniff
- Content-Type: text/html; charset=utf-8
Additionally, no headers should be included that needlessly divulge information about the server or it’s configuration that an end user wouldn’t need.