Blog Post

Security related HTTP Headers, Part 1: Introduction

Response to each request made to the server from the client side (browser) returns the content and the special block with HTTP response headers containing various information about the content.

These headers are sent for any content: HTML page, image, AJAX response, CSS or JS files. And, these headers include information about the type of the content, size, expiration and cache related information and much more. Each header element is key/value pair. And, you can add your own headers with all kinds of information. In recent years, most important change with HTTP headers, are new headers with the goal of improving website security and protect both client and server side for malicious activity.

List of security headers

Currently, there are 7 security headers you can use (and that doesn’t mean that you need or should use all of them):

  • X-Frame-Options
  • X-Content-Type-Options
  • Strict-Transport-Security
  • X-XSS-Protection
  • Public-Key-Pins
  • Referrer-Policy
  • Content-Security-Policy

This article will focus on first 5 headers, and the last two will get own articles next week.

X-Frame-Options

This is a very useful header that will prevent loading of your website inside the IFRAME, or to control in which cases that might be allowed. This prevents the clickjacking attacks. This form of attack depends on wrapping a website inside the IFRAME filling the screen, but the code in the IFRAME hijacks the user actions and can use them to run malicious code, get user information…

This header has 3 possible values:

  • DENY: the website will not allow loading in the IFRAME.
  • SAMEORIGIN: the website will allow loading in IFRAME, only if the IFRAME is part of the same website, so you can use IFRAMES on your website to load some other page from your website.
  • ALLOW-FROM {url} {url}…: include the list of URLs for websites that are allowed to load your website in IFRAME.

Most commonly used option is SAMEORGIN.

Example for adding the Header

For Nginx, add directive into server config. For Apache, you can add it to main server config, or into .htaccess.

// nginx
add_header X-Frame-Options "SAMEORIGIN" always;

// apache
Header always set X-Frame-Options "SAMEORIGIN"

X-Content-Type-Options

This is a simple header to configure, and it has only one valid value. This header prevents browser to do MIME sniffing of the content type other than it was declared by the server. This prevents ‘drive-by’ downloads and problems with the content uploaded by users trying to exploit smart name to hide executable files.

Example for adding the Header

For Nginx, add directive into server config. For Apache, you can add it to main server config, or into .htaccess.

// nginx
add_header X-Content-Type-Options "nosniff" always;

// apache
Header always set X-Content-Type-Options "nosniff"

Strict-Transport-Security

This header must be used only for HTTPS based websites because it will instruct the browser to always connect to your website over HTTPS, even if the user attempts to load your website URL with HTTP. This header sets maximum age for enforcing secure connection for your website. You can read more on this header here: Scott Helme: The missing link in Transport Layer Security

Example for adding the Header

For Nginx, add directive into server config. For Apache, you can add it to main server config, or into .htaccess.

// nginx
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains" always;

// apache
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

X-XSS-Protection

This is another header easy to setup, and very useful to enable built in protection some browsers have for XSS attacks (Cross-site scripting – method for injecting malicious scripts into the loaded web page).

Example for adding the Header

For Nginx, add directive into server config. For Apache, you can add it to main server config, or into .htaccess.

// nginx
add_header X-Xss-Protection "1; mode=block" always;

// apache
Header always set X-Xss-Protection "1; mode=block"

Public-Key-Pins

This is a very complicated header to configure, it is very rarely used, and in the recent months this header has fallen from grace and it showed some very big issues and even methods for attack based on it. I will not go into too many details, but the idea of this header is to use your SSL certificate keys to generate the header that will whitelist identities browser should trust when visiting your website.

Generating these key pins requires server access to run commands that will get the keys based on your certificates and it can be very hard thing to do for most website owners. And, this HTTP header has two very huge issues: revocation of the public key pins (in case your private key is compromised, attackers can use them to generate own keys) is not possible and RansomPKP attack that can happen if your domain gets’s hijacked. More on this you can find here: Scott Helme: I’m giving up on HPKP.

I don’t recommend using this header, and there is no way to give the example of use.

Are these headers really effective?

Short answer: yes. All these headers depend on the browser used. If the browser supports these headers, then all is OK. If not, then your website and your users might still be vulnerable to some forms of attacks. But, the good news is that all modern browsers, both desktop and mobile, support all these headers (Safari and IE might not be up to standards all the way). If users use old browsers, then they are responsible for putting themselves in the risk of malicious attacks that might target old browsers.

Coming up next…

Next week you can expect 2 more articles focusing on the last two headers.

All these security headers (with the exception of problematic Public-Key-Pins) can be easily configured and applied using Dev4Press own plugin GD Security Toolbox Pro without the need for any custom coding.
Please wait...
Great managed hosting experience, fast and secure with amazing support.
Siteground Hosting

PHP 7.0 to 8.1, free Let's Encrypt SSL certificates, cache and optimizations for WordPress. Choose between great shared WordPress hosting plans (starting from 3.95 €/month), high performance cloud hosting (starting from 64.00 €/month)...

Disclosure: This post contains affiliate links, which means that I receive compensation if you make a purchase using this link.
GD Security Toolbox Pro
Proactive protection and security hardening

A collection of many security related tools for .htaccess hardening with security events log, ReCaptcha, firewall, and tweaks collection, login and registration control and more.

About the author

Milan Petrovic
Milan Petrovic

CEO and Lead developer of Dev4Press Web Development company, working with WordPress since 2008, first as a freelancer, later founding own development company. Author of more than 250 plugins and more than 20 themes.

Subscribe to Dev4Press Newsletter

Get the latest announcements, release digests, promotions and exclusive discounts, and general Dev4Press-related news straight into your mailbox.


This form collects your email (optionally your name) for the purpose of sending you newsletters. Check out our Privacy Policy for more information on how we store and manage your data. We will not send you any spam. Newsletters are sent 2 to 4 times every month.

Leave a Comment

WP Rocket - Make WordPress Load Fast in a Few Clicks
GeneratePress - The perfect lightweight theme for your next project