Tighten the security belt of your website: HTTP Security Headers

Aug 6, 2020 · 5 min read
Image for post
Image for post

With the enhancement in technology and security, modern browsers now provide something that is known as, HTTP Headers that can improve applications against some common attacks such as clickjacking, cross-site scripting, and many more. Let us explore some methods you can tighten the security belt of your website.

Understanding HTTP Security Headers

Image for post
Image for post

henever a user requests a page from a server, it responds with the content along with some HTTP response header. Some of them consist of information such as content, encoding, status code, cache control, and many more. Along with these, there are some security headers that instruct your browser on how to behave when handling your website’s content, which is known as HTTP Security Header. It helps to preserve the privacy of your website as well as it’s users. It also helps mitigate some of the potential security vulnerabilities as well.

Let us now discuss some of the important HTTP Security headers that help you to tighten up the security belt of your website.

1. HTTP Strict Transport Security (HSTS)

Let suppose you own a website and you just installed SSL/TLS certificate and migrated your site from HTTP website to HTTPS. The “S” stands for security so you might think that your website is secured now. Now, the question is, what if your website is still available in HTTP? Now, this is where HSTS comes into action. What it does it, is forcing the browser to communicate over secure HTTPS, eliminating HTTP.

If the browser knows that the site has enabled HSTS, no matter what it only uses HTTPS connection even if the user entered HTTP or did not specify any header

There are semantically distinct ways to send HSTS headers, which are,

  • Applied only to the domain of HSTS host issuing it and remains in effect for one year.
Strict-Transport-Security: max-age=31536000
  • Applied to the domain of the issuing host as well as its subdomains effected for one year.
Strict-Transport-Security: max-age=31536000; includeSubDomains
  • Directs the browser to delete the entire policy.
Strict-Transport-Security: max-age=0

2. Content Security Policy (CSP)

Enabling Content Security Policy( CSP) header allows admin to specify which data sources should be permitted in your web application.

Can help mitigate or reduce the attack surface of Cross-Site Scripting (XSS) attacks. However, later versions of the spec also protect against other forms of attack such as ClickJacking


Content-Security-Policy: <policy-directive>; <policy-directive>

3. X-Frame-Options

It tells the browser how to behave when handling the site’s content. This also provided clickjacking protection by not allowing the rendering of a page in a frame by whether or defining whether or not a browser should be allowed to render a page in a <frame>, <iframe>, <embed> or <object>.


X-Frame-Options: Deny

This “deny” instructs the site not to allow any domain to display this page within a frame. Some of the famous sites using this header are Facebook and Github.

There are some other values allowed for the X-Frame-Options header which you can use, they are:

SAMEORIGIN — allows the current page to be displayed in a frame on another page, but only within the current domain. Some of the most famous sites using this header are Twitter, Amazon, and eBay.

ALLOW-FROM URI — allows the current page to be displayed in a frame, but only in a specific URI

4. Expect-CT Header

Expect-CT Header prevents the usage of the wrongly issued certificate of a site by allowing sites to report or enforce certificate transparency requirements. The available directories are:


Expect-CT: max-age=86400, enforce, 

Here, “enforce” instructed to refuse connections that violate Certificate Transparency policy. The “report-URI” directive indicates a location for reporting failures. And the “max-age” directive specifies the number of seconds that the browser should cache and apply the received policy for, whether enforced or report-only.

5. Cache-Control Header

Cache-Control Header is used to enable browser caching policies in both client requests and server responses. This includes policies such as how a resource is cached, where it’s cached and its maximum age before expiring.


cache-control: private, max-age: 266637262;

The “public” in the syntax indicates that a resource is user-specific, which means it can still be cached, but only on a client device. And, the “max-age” indicates, the amount of time it takes for a cached copy to expire. Once expired, the browser must refresh its version. There are other different directives, that can help tighten up privacy. You can find the list here.

6. Clear-Site-Data Header

Clear-Site-Data header ensures that no important confidential information from a website is not stored by the browser once the user logs out.


Clear-Site-Data: "*"

This will clear all the browsing data related to the site.

7. Referer Policy Header

The referer header consists of the information on your previous page. Such as the address of the previous web page from linked with the currently requested page. This could be used to track or steal information, or sometimes even inadvertently leak sensitive information.

Referer Policy header defines how much referer information must be included in the request.


Referrer-Policy: origin-when-cross-origin

This syntax, the browser will only reveal complete referrer information for same-origin requests. You can find some other list of headers you can use here.

onclusion: HTTP Headers could be one of the ways to tighten up the seat belt of your website security. By enabling such headers, you are protecting both your website and your user’s privacy. Setting and updating them correctly can reduce the amount of risk mitigation actions needed in the future.

Digital Diplomacy

Technology, digital, and innovation, at the intersection with government and foreign policy

Sign up for We Are Digital Diplomacy

By Digital Diplomacy

Focus on technology, government, foreign policy and anything in between. Take a look.

By signing up, you will create a Medium account if you don’t already have one. Review our Privacy Policy for more information about our privacy practices.

Check your inbox
Medium sent you an email at to complete your subscription.


Written by


Digital Diplomacy

Technology, digital, and innovation, at the intersection with government and foreign policy


Written by


Digital Diplomacy

Technology, digital, and innovation, at the intersection with government and foreign policy

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store