René's URL Explorer Experiment


Title: Security headers quick reference  |  Articles  |  web.dev

Open Graph Title: Security headers quick reference  |  Articles  |  web.dev

Description: This article lists the most important security headers you can use to protect your website. Use it to understand web-based security features, learn how to implement them on your website, and as a reference for when you need a reminder.

Open Graph Description: This article lists the most important security headers you can use to protect your website. Use it to understand web-based security features, learn how to implement them on your website, and as a reference for when you need a reminder.

Opengraph URL: https://web.dev/articles/security-headers

direct link

Domain: web.dev


Hey, it has json ld scripts:
  {
    "@context": "https://schema.org",
    "@type": "Article",
    "dateModified": "2021-05-18",
    "headline": "Security headers quick reference"
  }
  {
    "@context": "https://schema.org",
    "@type": "BreadcrumbList",
    "itemListElement": [{
      "@type": "ListItem",
      "position": 1,
      "name": "Articles",
      "item": "https://web.dev/articles"
    },{
      "@type": "ListItem",
      "position": 2,
      "name": "Security headers quick reference",
      "item": "https://web.dev/articles/security-headers"
    }]
  }
  

google-signin-client-id157101835696-ooapojlodmuabs2do2vuhhnf90bccmoi.apps.googleusercontent.com
google-signin-scopeprofile email https://www.googleapis.com/auth/developerprofiles https://www.googleapis.com/auth/developerprofiles.award https://www.googleapis.com/auth/devprofiles.full_control.firstparty
og:site_nameweb.dev
og:typewebsite
theme-color#3740ff
NoneIE=Edge
og:localeen

Links:

Skip to main content https://web.dev/security-headers/#main-content
https://web.dev/
Resources https://web.dev/explore/ai
HTML https://web.dev/html
CSS https://web.dev/css
JavaScript https://web.dev/javascript
Performance https://web.dev/performance
Accessibility https://web.dev/accessibility
Identity https://web.dev/identity
Learn HTML https://web.dev/learn/html
Learn CSS https://web.dev/learn/css
Learn JavaScript https://web.dev/learn/javascript
Learn AI https://web.dev/learn/ai
Learn Performance https://web.dev/learn/performance
Learn Accessibility https://web.dev/learn/accessibility
More courses https://web.dev/learn
AI and the web https://web.dev/explore/ai
Explore https://web.dev/explore
PageSpeed Insights https://pagespeed.web.dev/
Patterns https://web.dev/patterns
Podcasts & shows https://web.dev/shows
Developer Newsletter https://web.dev/newsletter
About web.dev https://web.dev/about
Discover https://web.dev/discover
Baseline https://web.dev/baseline
How to use Baseline https://web.dev/how-to-use-baseline
Blog https://web.dev/blog
Case Studies https://web.dev/case-studies
Articles https://web.dev/articles
AI and the web https://web.dev/explore/ai
Fast load times https://web.dev/explore/fast
Learn Core Web Vitals https://web.dev/explore/learn-core-web-vitals
Identity https://web.dev/identity
Progressive Web Apps https://web.dev/explore/progressive-web-apps
Payments https://web.dev/explore/payments
Notifications https://web.dev/explore/notifications
How to optimize INP https://web.dev/explore/how-to-optimize-inp
Network reliability https://web.dev/explore/reliable
React https://web.dev/explore/react
Animations https://web.dev/explore/animations
Mini apps https://web.dev/explore/mini-apps
Media https://web.dev/explore/media
Safe and secure https://web.dev/explore/secure
WebAssembly https://web.dev/explore/webassembly
Devices https://web.dev/explore/devices
Easily discoverable https://web.dev/explore/discoverable
Test automation https://web.dev/explore/test-automation
Angular https://web.dev/explore/angular
https://web.dev/
Resources https://web.dev/explore/ai
AI and the web https://web.dev/explore/ai
Fast load times https://web.dev/explore/fast
Learn Core Web Vitals https://web.dev/explore/learn-core-web-vitals
Identity https://web.dev/identity
Progressive Web Apps https://web.dev/explore/progressive-web-apps
Payments https://web.dev/explore/payments
Notifications https://web.dev/explore/notifications
How to optimize INP https://web.dev/explore/how-to-optimize-inp
Network reliability https://web.dev/explore/reliable
React https://web.dev/explore/react
Animations https://web.dev/explore/animations
Mini apps https://web.dev/explore/mini-apps
Media https://web.dev/explore/media
Safe and secure https://web.dev/explore/secure
WebAssembly https://web.dev/explore/webassembly
Devices https://web.dev/explore/devices
Easily discoverable https://web.dev/explore/discoverable
Test automation https://web.dev/explore/test-automation
Angular https://web.dev/explore/angular
Discover https://web.dev/discover
Baseline https://web.dev/baseline
How to use Baseline https://web.dev/how-to-use-baseline
Blog https://web.dev/blog
Case Studies https://web.dev/case-studies
Security should not be so scary!https://web.dev/articles/security-not-scary
What are security attacks?https://web.dev/articles/security-attacks
Understanding "same-site" and "same-origin"https://web.dev/articles/same-site-same-origin
Security headers quick referencehttps://web.dev/articles/security-headers
Why HTTPS mattershttps://web.dev/articles/why-https-matters
Enabling HTTPS on your servershttps://web.dev/articles/enable-https
What is mixed content?https://web.dev/articles/what-is-mixed-content
Fixing mixed contenthttps://web.dev/articles/fixing-mixed-content
When to use HTTPS for local developmenthttps://web.dev/articles/when-to-use-local-https
How to use HTTPS for local developmenthttps://web.dev/articles/how-to-use-local-https
Browser sandboxhttps://web.dev/articles/browser-sandbox
Same-origin policyhttps://web.dev/articles/same-origin-policy
Cross-Origin Resource Sharing (CORS)https://web.dev/articles/cross-origin-resource-sharing
Making your website "cross-origin isolated" using COOP and COEPhttps://web.dev/articles/coop-coep
Why you need "cross-origin isolated" for powerful featureshttps://web.dev/articles/why-coop-coep
Protect your resources from web attacks with Fetch Metadatahttps://web.dev/articles/fetch-metadata
Prevent DOM-based cross-site scripting vulnerabilities with Trusted Typeshttps://web.dev/articles/trusted-types
Mitigate cross-site scripting (XSS) with a strict Content Security Policy (CSP)https://web.dev/articles/strict-csp
Securely hosting user data in modern web applicationshttps://web.dev/articles/securely-hosting-user-data
Understanding cookieshttps://web.dev/articles/understanding-cookies
SameSite cookies explainedhttps://web.dev/articles/samesite-cookies-explained
SameSite cookie recipeshttps://web.dev/articles/samesite-cookie-recipes
First-party cookie recipeshttps://web.dev/articles/first-party-cookie-recipes
Referer and Referrer-Policy best practiceshttps://web.dev/articles/referrer-best-practices
User-agent client hintshttps://developer.chrome.com/docs/privacy-security/user-agent-client-hints
Schemeful Same-Sitehttps://web.dev/articles/schemeful-samesite
Reporting APIhttps://developer.chrome.com/docs/capabilities/web-apis/reporting-api
Migrate to Reporting API v1https://developer.chrome.com/blog/reporting-api-migration
Network Error Logging (NEL)https://web.dev/articles/network-error-logging
Help, I think I've been hackedhttps://web.dev/articles/hacked
How do I know if my site was hacked?https://web.dev/articles/how-do-i-know-if-my-site-was-hacked
Top ways sites get hacked by spammershttps://web.dev/articles/top-ways-sites-get-hacked-by-spammers
Build a support teamhttps://web.dev/articles/build-a-support-team
Quarantine your sitehttps://web.dev/articles/quarantine-your-site
Use Search Consolehttps://web.dev/articles/use-search-console
Assess spam damagehttps://web.dev/articles/assess-spam-damage
Fix the Japanese Keyword hackhttps://web.dev/articles/fix-the-japanese-keyword-hack
Fix the gibberish hackhttps://web.dev/articles/fix-the-gibberish-hack
Fix the cloaked keywords and links hackhttps://web.dev/articles/fix-the-cloaked-keywords-hack
Hacked with malwarehttps://web.dev/articles/hacked-with-malware
Identify the vulnerabilityhttps://web.dev/articles/identify-the-vulnerability
Clean and maintain your sitehttps://web.dev/articles/clean-and-maintain-your-site
Request a reviewhttps://web.dev/articles/request-a-review
Glossary for hacked siteshttps://web.dev/articles/glossary-for-hacked-sites
FAQ for hacked siteshttps://web.dev/articles/faq-for-hacked-sites
HTML https://web.dev/html
CSS https://web.dev/css
JavaScript https://web.dev/javascript
Performance https://web.dev/performance
Accessibility https://web.dev/accessibility
Identity https://web.dev/identity
Learn HTML https://web.dev/learn/html
Learn CSS https://web.dev/learn/css
Learn JavaScript https://web.dev/learn/javascript
Learn AI https://web.dev/learn/ai
Learn Performance https://web.dev/learn/performance
Learn Accessibility https://web.dev/learn/accessibility
More courses https://web.dev/learn
AI and the web https://web.dev/explore/ai
Explore https://web.dev/explore
PageSpeed Insights https://pagespeed.web.dev/
Patterns https://web.dev/patterns
Podcasts & shows https://web.dev/shows
Developer Newsletter https://web.dev/newsletter
About web.dev https://web.dev/about
Home https://web.dev/
Articles https://web.dev/articles
Resources https://web.dev/explore/ai
Safe and secure https://web.dev/explore/secure
X https://twitter.com/agektmr
GitHub https://github.com/agektmr
Mastodon https://infosec.exchange/@agektmr
Bluesky https://bsky.app/profile/agektmr.com
X https://twitter.com/arturjanc
GitHub https://github.com/arturjanc
GitHub https://github.com/maudnals
LinkedIn https://www.linkedin.com/in/maudnalpas
Bluesky https://bsky.app/profile/maudnals.bsky.social
Content Security Policy (CSP)https://web.dev/security-headers/#csp
Trusted Typeshttps://web.dev/security-headers/#tt
X-Content-Type-Optionshttps://web.dev/security-headers/#xcto
X-Frame-Optionshttps://web.dev/security-headers/#xfo
Cross-Origin Resource Policy (CORP)https://web.dev/security-headers/#corp
Cross-Origin Opener Policy (COOP)https://web.dev/security-headers/#coop
HTTP Strict Transport Security (HSTS)https://web.dev/security-headers/#hsts
Cross-Origin Resource Sharing (CORS)https://web.dev/security-headers/#cors
Cross-Origin Embedder Policy (COEP)https://web.dev/security-headers/#coep
cross-site scriptinghttps://portswigger.net/web-security/cross-site-scripting
reflected XSShttps://portswigger.net/web-security/cross-site-scripting/reflected
stored XSShttps://portswigger.net/web-security/cross-site-scripting/stored
DOM-based XSShttps://portswigger.net/web-security/cross-site-scripting/dom-based
web originhttps://web.dev/articles/same-site-same-origin#origin
dangerous JavaScript APIshttps://domgo.at/cxss/sinks
Content Security Policy (CSP)https://web.dev/security-headers/##csp
Trusted Typeshttps://web.dev/security-headers/##tt
X-Content-Type-Optionshttps://web.dev/security-headers/##xcto
clickjackinghttps://portswigger.net/web-security/clickjacking
cross-site request forgeryhttps://portswigger.net/web-security/csrf
cross-site script inclusionhttps://www.scip.ch/en/?labs.20160414
cross-site leakshttps://xsleaks.dev
X-Frame-Optionshttps://web.dev/security-headers/##xfo
Cross-Origin Resource Policy (CORP)https://web.dev/security-headers/##corp
Cross-Origin Opener Policy (COOP)https://web.dev/security-headers/##coop
Cross-Origin Resource Sharing (CORS)https://web.dev/security-headers/##cors
Post-Spectre Web Developmenthttps://www.w3.org/TR/post-spectre-webdev/
Spectrehttps://ieeexplore.ieee.org/document/8835233
browsing context grouphttps://web.dev/articles/why-coop-coep
same-origin policyhttps://web.dev/articles/same-origin-policy
cross-origin isolationhttps://web.dev/articles/coop-coep
Cross-Origin Embedder Policy (COEP)https://web.dev/security-headers/##coep
COOPhttps://web.dev/security-headers/##coop
mixed contenthttps://web.dev/articles/what-is-mixed-content
Secure attributehttps://developer.mozilla.org/docs/Web/HTTP/Cookies#restrict_access_to_cookies
__Secure prefixhttps://developer.mozilla.org/docs/Web/HTTP/Cookies#Cookie_prefixes
lax CORS validation logichttps://blog.detectify.com/2018/04/26/cors-misconfigurations-explained/
HTTP Strict Transport Security (HSTS)https://web.dev/security-headers/##hsts
Cross-Site Scripting (XSS)https://www.google.com/about/appsecurity/learning/xss/
a hash-based CSPhttps://web.dev/security-headers/#step_1_decide_if_you_need_a_nonce-_or_hash-based_csp
Google Photoshttps://photos.google.com/
most browsers don't support hashing external scriptshttps://wpt.fyi/results/content-security-policy/script-src/script-src-sri_hash.sub.html?label=master&label=experimental&aligned
Option B: Hash-based CSP Response Headerhttps://web.dev/articles/strict-csp#step_1_decide_if_you_need_a_nonce-_or_hash-based_csp
CSP Evaluatorhttps://csp-evaluator.withgoogle.com/
Add fallbacks to support Safari and older browsershttps://web.dev/articles/strict-csp#step_4_optional_add_fallbacks_to_support_old_browser_versions
frame-ancestorshttps://developer.mozilla.org/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors
X-Frame-Optionshttps://web.dev/security-headers/##xfo
a CSP to ensure that all of your site's resources are loaded over HTTPShttps://web.dev/articles/fixing-mixed-content#content_security_policy
mixed-contenthttps://web.dev/articles/what-is-mixed-content
report-only modehttps://web.dev/articles/strict-csp#step_2_set_a_strict_csp_and_prepare_your_scripts
this may changehttps://github.com/w3c/webappsec-csp/issues/277
Mitigate XSS with a Strict Content Security Policy (CSP)https://web.dev/articles/strict-csp
Content Security Policy Cheat Sheethttps://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html
DOM-based XSShttps://portswigger.net/web-security/cross-site-scripting/dom-based
CSPhttps://web.dev/security-headers/#csp
Prevent DOM-based cross-site scripting vulnerabilities with Trusted Typeshttps://web.dev/articles/trusted-types
CSP: require-trusted-types-for - HTTP | MDNhttps://developer.mozilla.org/docs/Web/HTTP/Headers/Content-Security-Policy/require-trusted-types-for
CSP: trusted-types - HTTP | MDNhttps://developer.mozilla.org/docs/Web/HTTP/Headers/Content-Security-Policy/trusted-types
Trusted Types demohttps://www.compass-demo.com/trusted-types/
cross-site scripting bughttps://www.google.com/about/appsecurity/learning/xss/
MIME typehttps://mimesniff.spec.whatwg.org/#introduction
Sourcehttps://developer.mozilla.org/docs/Web/HTTP/Reference/Headers/X-Content-Type-Options
X-Content-Type-Options - HTTP MDNhttps://developer.mozilla.org/docs/Web/HTTP/Headers/X-Content-Type-Options
clickjackinghttps://portswigger.net/web-security/clickjacking
Spectre-type attackshttps://en.wikipedia.org/wiki/Spectre_(security_vulnerability)
CSPhttps://web.dev/security-headers/##csp
frame-ancestorshttps://developer.mozilla.org/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors
this demohttps://cross-origin-isolation.glitch.me/
Sourcehttps://developer.mozilla.org/docs/Web/HTTP/Reference/Headers/X-Frame-Options
X-Frame-Options - HTTPhttps://developer.mozilla.org/docs/Web/HTTP/Headers/X-Frame-Options
cross-site leakshttps://xsleaks.dev/
Cross-Origin-Embedder-Policy: require-corp environmenthttps://web.dev/security-headers/##coep
this demohttps://cross-origin-isolation.glitch.me/?coep=require-corp&
CORShttps://web.dev/security-headers/##cors
Understanding "same-site" and "same-origin"https://web.dev/articles/same-site-same-origin
Sourcehttps://developer.mozilla.org/docs/Web/HTTP/Reference/Headers/Cross-Origin-Resource-Policy
Consider deploying cross-origin resource policyhttps://resourcepolicy.fyi/
Making your website "cross-origin isolated" using COOP and COEPhttps://web.dev/articles/coop-coep
Why you need "cross-origin isolated" for powerful featureshttps://web.dev/articles/why-coop-coep
cross-site leakshttps://xsleaks.dev/
Spectrehttps://en.wikipedia.org/wiki/Spectre_(security_vulnerability)
this demohttps://cross-origin-isolation.glitch.me/
COOPhttps://web.dev/security-headers/##coop
COEPhttps://web.dev/security-headers/##coep
Making your website "cross-origin isolated" using COOP and COEPhttps://web.dev/articles/coop-coep
Sourcehttps://developer.mozilla.org/docs/Web/HTTP/Reference/Headers/Cross-Origin-Opener-Policy
Why you need "cross-origin isolated" for powerful featureshttps://web.dev/articles/why-coop-coep
the same-origin policyhttps://web.dev/articles/same-origin-policy
Cross-Origin Resource Sharing (CORS) - HTTP | MDNhttps://developer.mozilla.org/docs/Web/HTTP/CORS#simple_requests
without credentialshttps://developer.mozilla.org/docs/Web/API/Request/credentials#value
Cross-Origin-Embedder-Policy: require-corp environmenthttps://web.dev/security-headers/##coep
this demohttps://cross-origin-isolation.glitch.me/?coep=require-corp&
Sourcehttps://developer.mozilla.org/docs/Web/HTTP/Reference/Headers/Access-Control-Allow-Origin
Cross-Origin Resource Sharing (CORS)https://web.dev/articles/cross-origin-resource-sharing
Cross-Origin Resource Sharing (CORS) - HTTP | MDNhttps://developer.mozilla.org/docs/Web/HTTP/CORS
Spectre-based attackshttps://en.wikipedia.org/wiki/Spectre_(security_vulnerability)
CORShttps://web.dev/security-headers/#cors
CORPhttps://web.dev/security-headers/#corp
cross-origin isolationhttps://web.dev/articles/cross-origin-isolation-guide
cross-origin isolationhttps://web.dev/articles/coop-coep
CORShttps://web.dev/security-headers/##cors
CORPhttps://web.dev/security-headers/##corp
this demohttps://cross-origin-isolation.glitch.me/
the reporting endpoint demohttps://reporting-endpoint.glitch.me/
cross-origin isolationhttps://web.dev/articles/coop-coep
Sourcehttps://developer.mozilla.org/docs/Web/HTTP/Reference/Headers/Cross-Origin-Embedder-Policy
Making your website "cross-origin isolated" using COOP and COEPhttps://web.dev/articles/coop-coep
Why you need "cross-origin isolated" for powerful featureshttps://web.dev/articles/why-coop-coep
A guide to enable cross-origin isolationhttps://web.dev/articles/cross-origin-isolation-guide
Sourcehttps://developer.mozilla.org/docs/Web/HTTP/Reference/Headers/Strict-Transport-Security
Strict-Transport-Security - HTTPhttps://developer.mozilla.org/docs/Web/HTTP/Headers/Strict-Transport-Security
Post-Spectre Web Developmenthttps://www.w3.org/TR/post-spectre-webdev/
Previous arrow_back Understanding "same-site" and "same-origin" https://web.dev/articles/same-site-same-origin
Creative Commons Attribution 4.0 Licensehttps://creativecommons.org/licenses/by/4.0/
Apache 2.0 Licensehttps://www.apache.org/licenses/LICENSE-2.0
Google Developers Site Policieshttps://developers.google.com/site-policies
File a bug https://issuetracker.google.com/issues/new?component=1400680&template=1857359
See open issues https://issuetracker.google.com/issues?q=status:open%20componentid:1400680&s=created_time:desc
Chrome for Developers https://developer.chrome.com/
Chromium updates https://blog.chromium.org/
Case studies https://web.dev/case-studies
Podcasts & shows https://web.dev/shows
@ChromiumDev on X https://twitter.com/ChromiumDev
YouTube https://www.youtube.com/user/ChromeDevelopers
Chrome for Developers on LinkedIn https://www.linkedin.com/showcase/chrome-for-developers
RSS https://web.dev/static/blog/feed.xml
Terms https://policies.google.com/terms
Privacy https://policies.google.com/privacy
Manage cookies https://web.dev/security-headers/

Viewport: width=device-width, initial-scale=1


URLs of crawlers that visited me.