NginX

Active

add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval'" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "sameorigin" always;
add_header X-Permitted-Cross-Domain-Policies "master-only" always;
add_header Cache-Control "no-cache, max-age=120" always;

Deprecated

add_header X-XSS-Protection "0" always; (recommended)
add_header X-XSS-Protection "1; mode=block" always;

Apache

Active

Header always set Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval'"
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set X-Content-Type-Options "nosniff"
Header always set X-Frame-Options "sameorigin"
Header always set X-Permitted-Cross-Domain-Policies "master-only"
Header always set Cache-Control "no-cache, max-age=120"

Deprecated

Header always set X-XSS-Protection "0" (recommended)
Header always set X-XSS-Protection "1; mode=block"

IIS

Active

Content-Security-Policy: "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval'"
Strict-Transport-Security: "max-age=31536000; includeSubDomains"
Referrer-Policy: "strict-origin-when-cross-origin"
X-Content-Type-Options: "nosniff"
X-Frame-Options: "sameorigin"
Cache-Control: "no-cache, max-age=120"

Deprecated

X-XSS-Protection: "0" (recommended)
X-XSS-Protection: "1; mode=block"

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

headers.md

headers.md

NginX

Active

Deprecated

Apache

Active

Deprecated

IIS

Active

Deprecated

Files

headers.md

Latest commit

History

headers.md

File metadata and controls

NginX

Active

Deprecated

Apache

Active

Deprecated

IIS

Active

Deprecated