General

X-Frame-Options

X-Frame-Options response header is used by browser to decide whether or not to embedding of a website is allowed inside another website/samesite.

This header is typically used to prevent clickjacking attacks.

1. X-Frame-Options: Deny - Embedding of site is not allowed regardless of origin.

2. X-Frame-Options: SAMEORIGIN - Embedding of site is allowed, only if ancestor frames are same origin to the embedded site.

X-XSS-Protection

X-XSS-Protection response header was used by chrome, edge, IE in their legacy browsers to determine whether or not their XSS Filter can block the loading of webpage as soon as XSS attack is detected.

1. X-XSS-Protection: 1 - Enables XSS Filtering in legacy browsers.

2. X-XSS-Protection: 0 - Disables XSS Filtering in legacy browsers.

Note: This is not supported anymore. Chrome has removed their XSS auditor, Edge has retired their XSS Filter. Firefox has no plan of implementing such feature.

Strict-Transport-Security

Strict-Transport-Security response header is used to indicate browsers that website must be loaded only using HTTPS connection, if it had been accesed using HTTPS before.

Note: If website is never accessed using HTTPS before in the same browser by user, This header has no use, The website can be opened in HTTP.

1. Strict-Transport-Security: max-age=<seconds> - max-age directive Indicates browser that website can be accesed only using HTTPS within specified time(in seconds).

2. Strict-Transport-Security: max-age=<seconds>; includeSubDomains - includeSubDomains directive indicates browser that all the subdomains of website should also be loaded using HTTPS connection only.

3. Strict-Transport-Security: max-age=; includeSubDomains; preload - preload directive tells browser that website should always be loaded in HTTPS whether or not the website is visited by user in HTTPS atleast once. This is a unofficial feature used by browsers, only supported list of websites can use preload feature. To use this feature max-range should be set to atleast 1 year & includeSubDomains directive should also be set.

X-Content-Type-Options

X-Content-Type-Options: nosniff response header tells browser that only the MIME type specified in Content-Type response header should be strictly followed & browser cannot guess & render MIME type on it's own i.e MIME Sniffing is not allowed.

This header prevent MIME Sniffing & MIME Confusion attack.

Referrer-Policy

Referrer-Policy repsonse header denotes whether or not site can send information about current url in the referrer request headers or how much information it can send.

1. Referrer-Policy: no-referrer - Do not send referrer header at all.

2. Referrer-Policy: origin - Only origin for ex: http://www.example.com should be included in referrer header, even if website full url is http://www.example.com/secret.php

3. Referrer-Policy: same-origin - Send full url is same origin request, Do not send referrer header for cross-origin requests.

4. Referrer-Policy: strict-origin-when-cross-origin - This is default for most browsers after Nov 2020. For same origin websites send full url in referrer header, when cross origin send only origin, for websites using insecure protocols like HTTP do not send any referrer header.

5. Referrer-Policy: unsafe-url - Send full url irresepective of security like cross origin & insecure connections.

For all available options visit MDN.

Permissions-Policy

Permissions-Policy response header is used to disable website from accessing browser features such as geolocation, webcam, microphone etc through javascript running in a document or embedded document.

This prevents usage of webcam, microphone & other features incase of injection attacks like XSS.

For example, Permissions-Policy: geolocation=(), camera=(), microphone=() disables geolocation, camera & microphone access to current document & all embedded documents.

For detailed usage refer MDN.