Check Your Security Headers

HTTP security headers are a fundamental part of website security

Http headers

x-frame-options Specifies whether browser should show page in an iFrame
x-xss-protection Enables Cross Site Scripting (XSS) filtering
x-content-type-options Disables MIME Sniffing and forces browser to use type shown in Content-Type
x-ua-compatible Compatiability header for old versions of Microsoft Internet Explorer (IE) and Edge
strict-transport-security HSTS informs browser to use HTTPS not HTTP
p3p Privacy Protocol that was not widely adopted
referrer-policy Rules which referrer information sent in the referrer header is incorporated with requests
content-security-policy Controls which resources the client can load for the page
access-control-allow-origin Details whether the response can be shared.
access-control-allow-credentials Header tells browser whether to expose the response to frontend JavaScript
access-control-max-age It indicates how long the results of a preflight request can be cached.
access-control-allow-methods Specifies the method or methods allowed when accessing the resource in response to a preflight request.
access-control-allow-headers Indicate which HTTP headers can be used during the actual request.
access-control-expose-headers Allows a server to indicate which response headers should be made available to scripts running in the browser, in response to a cross-origin reques
content-encoding Specifies compression type
vary Details how to determine if cache can be used rather than a new response from server
x-powered-by Hosting and Backend Server Frameworks may use this. Can reveal sensitive information (version and software).
www-authenticate Defines the authentication method that should be used to gain access to a resource.
cache-control Details caching options in requests and responses
pragma Related to caching, may be implemented in different ways.
age Time in seconds resource has been in proxy cache
connection Controls network connection
cookie-security A small piece of data that a server sends to the users web browser.
expect-ct Reporting and enforcement of Certificate Transparency. Prevents the use of mis-issued certificates for the site. When enabled the Expect-CT header requests that Chrome checks certificates for the site appear in public CT logs.
timing-allow-origin specifies origins that are allowed to see values of attributes retrieved via features of the Resource Timing API, which would otherwise be reported as zero due to cross-origin restrictions.
custom-headers Custom HTTP headers are commonly meant to provide additional information that may be pertinent to a web developer, or for troubleshooting purposes.
x-dns-prefetch-control HTTP response header controls DNS prefetching, a feature by which browsers proactively perform domain name resolution on both links that the user may choose to follow as well as URLs for items referenced by the document, including images, CSS, JavaScript, and so forth.
x-download-options Specific to IE8. Stops downloads opening directly in browser.
x-permitted-cross-domain-policies The X-Permitted-Cross-Domain-Policies header tells clients like Flash and Acrobat what cross-domain policies they can use.
report-to Header used for adding troubleshooting information
feature-policy provides a mechanism to allow and deny the use of browser features in its own frame, and in content within any iframe elements in the document.
permissions-policy The Permissions-Policy HTTP header replaces the existing Feature-Policy header for controlling delegation of permissions and powerful features.
clear-site-data The Clear-Site-Data header clears browsing data (cookies, storage, cache) associated with the requesting website.
content-type Denotes the type of media
cross-origin-resource-policy The HTTP Cross-Origin-Resource-Policy response header conveys a desire that the browser blocks no-cors cross-origin/cross-site requests to the given resource.
nel An option for developers to set network error reporting.
cross-origin-embedder-policy The HTTP Cross-Origin-Opener-Policy (COOP) response header allows you to ensure a top-level document does not share a browsing context group with cross-origin documents.
cross-origin-opener-policy The HTTP Cross-Origin-Opener-Policy (COOP) response header allows you to ensure a top-level document does not share a browsing context group with cross-origin documents.
x-robots-tag Allows you to choose content search engines can crawl on the site

What are HTTP Security Headers?

HTTP security headers are directives issued by a web server to a browser, guiding how the browser should handle a website’s content. These headers serve as a vital security layer, helping to safeguard websites and their users against threats like clickjacking, cross-site scripting (XSS), cross-site request forgery (CSRF), and other cyberattacks.

Beyond security, HTTP headers also allow you to manage cross-origin resource sharing (CORS), regulate MIME types, and enforce content security policies, ensuring a more secure and controlled browsing experience.

Why OWASP Recommendation Secure Headers Matter?

OWASP is a globally respected organization committed to enhancing web security. Their OWASP Secure Headers Project outlines industry best practices for securing web applications. Implementing OWASP-recommended HTTP security headers helps protect users, strengthen your website’s defenses, and reinforce a secure online environment.

OWASP recommends the following HTTP response headers:

  • Strict-Transport-Security (HSTS)
  • X-Frame-Options
  • X-Content-Type-Options
  • Content-Security-Policy (CSP)
  • X-Permitted-Cross-Domain-Policies
  • Referrer-Policy
  • Clear-Site-Data
  • Cross-Origin-Embedder-Policy (COEP)
  • Cross-Origin-Opener-Policy
  • Cross-Origin-Resource-Policy (CORP)
  • Cache-Control

By accessing and using our application and website

Our tool was designed to help you download videos and images uploaded by your own account. We reserve the right to refuse to provide our service if you use our tools to infringe upon others’ privacy and material.

Please read these terms of service (Terms of Service or ToS) carefully before accessing our application and website. Read our full Terms of Service here. Key highlights are set out below for your quick information:

  1. TSO is a self-developed and independent application/website of Technical Support Office team. 
  2. WE ARE NOT AFFILIATED WITH INSTAGRAM OR META.
  3. TSO respects trademark rights and complies with trademark laws and regulations. Our trademark TSO™ is created by TSO and should be used only for and in relation to our Services, TSO App and Web. It should be read as a seamless word without reference to any individual or entity other than TSO.
  4. We accept advertisements (Ads) on our website and application to maintain and support our own research and development for non-commercial purposes. Ads appearing on our website and application may be delivered to Users by advertising partners who may set cookies. You may dismiss the use of the cookies or cease access to our application and website at any time as you are not required to accept the Ads.

By accessing and using our application and website, you signify your acceptance of our policy and ToS, including the updated versions. If you do not agree with any content, please do not use our application and website.

 

LET'S WORK TOGETHER

we love to listen to your requirements

If you have a design project you would like us to quote, please send us a message outlining your ideas. If we are able to take on your project, we will be in touch with details and any additional questions we may have in order to provide an accurate quote for your project.

Contact us
Facebook Twitter Youtube

Frequently asked questions

They enhance the security of web applications by mitigating common vulnerabilities such as cross-site scripting (XSS), clickjacking, and content sniffing. Properly configured headers ensure that browsers interpret and display content as intended, reducing the risk of exploitation.

Common headers include:

  • Content-Security-Policy (CSP): Controls resources the user agent is allowed to load for a given page.
  • Strict-Transport-Security (HSTS): Enforces secure (HTTPS) connections to the server.
  • X-Content-Type-Options: Prevents browsers from interpreting files as a different MIME type.
  • X-Frame-Options: Protects against clickjacking by controlling whether a page can be framed.
  • X-XSS-Protection: Enables cross-site scripting filtering.
  • Referrer-Policy: Controls how much referrer information is included with requests.

CSP specifies which content sources are trusted, thereby preventing the browser from loading malicious assets like scripts, styles, or media from untrusted origins. This significantly reduces the risk of XSS attacks.

HSTS instructs browsers to interact with the server only over HTTPS, even if users attempt to access the site via HTTP. This ensures encrypted communication and protects against protocol downgrade attacks.

You can use our tools to scan your website and receive a report on the security headers in place

No, they complement other security practices such as secure coding, regular updates, and vulnerability assessments. While they add an essential layer of defense, relying solely on headers is insufficient for comprehensive security.

Yes, if misconfigured, they can restrict legitimate content or functionalities. It's crucial to test changes in a development environment before deploying them live to ensure they don't interfere with user experience.

Regularly, especially after significant website changes or updates. As new threats emerge, periodically reviewing and adjusting your security headers ensures ongoing protection against evolving vulnerabilities.

Resources like the Articles provide comprehensive guidelines on setting up security headers effectively.

BECOME OUR PARTNER

Thank you for your interest in becoming a SerSart partner.

Become a Partner

Our Best-Selling Products

Shopping Cart