List of useful HTTP headers

This page lists useful security-related HTTP headers. In most architectures these headers can be set in web server configuration (Apache, IIS, nginx), without changing actual application's code. This offers significantly faster and cheaper method for at least partial mitigation of existing issues, and an additional layer of defense for new applications.

Check Your Headers
Visit Check Your Headers to view and evaluate any website's security headers. http://cyh.herokuapp.com/cyh

For Chrome, the Recx Security Analyser extension checks a number of security relevant headers and gives a nice report on the findings. Recx Security Analyser

Real life examples
Below examples present selected HTTP headers as set by popular websites to demonstrate that they are indeed being used in production services:

Facebook
As of January 2013 Facebook main page was setting these security related HTTP headers.

Strict-Transport-Security: max-age=60 X-Content-Type-Options: nosniff X-Frame-Options: DENY X-WebKit-CSP: default-src *; script-src https://*.facebook.com http://*.facebook.com https://*.fbcdn.net http://*.fbcdn.net *.facebook.net *.google-analytics.com *.virtualearth.net *.google.com 127.0.0.1:* *.spotilocal.com:* 'unsafe-inline' 'unsafe-eval' https://*.akamaihd.net http://*.akamaihd.net; style-src * 'unsafe-inline'; connect-src https://*.facebook.com http://*.facebook.com https://*.fbcdn.net http://*.fbcdn.net *.facebook.net *.spotilocal.com:* https://*.akamaihd.net ws://*.facebook.com:* http://*.akamaihd.net; X-XSS-Protection: 1; mode=block

Especially interesting is Facebook's use of Content Security Policy (using Google Chrome syntax), whose implementation can be challenging for large sites with heavy usage of JavaScript.

As of July 2014, the following headers were set:

strict-transport-security: max-age=7776000 x-content-type-options: nosniff x-frame-options: DENY '''content-security-policy: default-src *;script-src https://*.facebook.com http://*.facebook.com https://*.fbcdn.net http://*.fbcdn.net *.facebook.net https://*.fbcdn.net http://*.fbcdn.net *.facebook.net *.spotilocal.com:* https://*.akamaihd.net wss://*.facebook.com:* ws://*.facebook.com:* http://*.akamaihd.net https://fb.scanandcleanlocal.com:* *.atlassolutions.com http://attachment.fbsbx.com https://attachment.fbsbx.com; ''' x-xss-protection:0
 * .google-analytics.com *.virtualearth.net *.google.com 127.0.0.1:* *.spotilocal.com:* 'unsafe-inline' 'unsafe-eval' https://*.akamaihd.net http://*.akamaihd.net
 * .atlassolutions.com chrome-extension://lifbcibllhkdhoafpjfnlhfpfgnpldfl;style-src * 'unsafe-inline';connect-src https://*.facebook.com http://*.facebook.com

Google+
As of January 2013 Google+ main page was setting these security related HTTP headers:

x-content-type-options: nosniff x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block

Twitter
As of May 2013 Twitter main page was setting these security related HTTP headers:

strict-transport-security: max-age=631138519 x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block

As of July 2014 we can see the implementation of CSP added: ''' content-security-policy-report-only: default-src https:; connect-src https:; font-src https: data:; frame-src https: http://*.twimg.com http://itunes.apple.com about: javascript:; img-src https: data:; media-src https:; object-src https:; script-src 'unsafe-inline' 'unsafe-eval' about: https:; style-src 'unsafe-inline' https:; report-uri https://twitter.com/i/csp_report?a=NVQWGBBBFVZXO2LAAA%3D%3D%3D%3D%3D%3D&ro=true; '''

As of February 2016 we see a wide variety of security headers in play.

HTTP/2.0 200 OK Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 content-security-policy: script-src https://connect.facebook.net https://cm.g.doubleclick.net https://ssl.google-analytics.com https://graph.facebook.com https://twitter.com 'unsafe-eval' https://*.twimg.com https://api.twitter.com 'nonce-PfW2vyB3Oopip9AMkcOLpw==' https://analytics.twitter.com https://ton.twitter.com https://syndication.twitter.com https://www.google.com https://t.tellapart.com https://platform.twitter.com https://www.google-analytics.com 'self'; frame-ancestors 'self'; font-src https://twitter.com https://*.twimg.com data: https://ton.twitter.com https://fonts.gstatic.com https://maxcdn.bootstrapcdn.com https://netdna.bootstrapcdn.com 'self'; media-src https://twitter.com https://*.twimg.com https://ton.twitter.com blob: 'self'; connect-src https://graph.facebook.com https://media4.giphy.com https://media0.giphy.com https://pay.twitter.com https://analytics.twitter.com https://media.riffsy.com https://media.giphy.com https://media3.giphy.com https://upload.twitter.com https://media2.giphy.com https://media1.giphy.com 'self'; style-src https://fonts.googleapis.com https://twitter.com https://*.twimg.com https://translate.googleapis.com https://ton.twitter.com 'unsafe-inline' https://platform.twitter.com https://maxcdn.bootstrapcdn.com https://netdna.bootstrapcdn.com 'self'; object-src https://twitter.com https://pbs.twimg.com; default-src 'self'; frame-src https://staticxx.facebook.com https://twitter.com https://*.twimg.com https://player.vimeo.com https://pay.twitter.com https://www.facebook.com https://ton.twitter.com https://syndication.twitter.com https://vine.co twitter: https://www.youtube.com https://platform.twitter.com https://upload.twitter.com https://s-static.ak.facebook.com 'self' https://donate.twitter.com; img-src https://graph.facebook.com https://twitter.com https://*.twimg.com https://media4.giphy.com data: https://media0.giphy.com https://fbcdn-profile-a.akamaihd.net https://www.facebook.com https://ton.twitter.com https://*.fbcdn.net https://syndication.twitter.com https://media.riffsy.com https://www.google.com https://media.giphy.com https://stats.g.doubleclick.net https://media3.giphy.com https://www.google-analytics.com blob: https://media2.giphy.com https://media1.giphy.com 'self'; report-uri https://twitter.com/i/csp_report?a=NVQWGYLXFVZXO2LGOQ%3D%3D%3D%3D%3D%3D&ro=false; Content-Type: text/html;charset=utf-8 Expires: Tue, 31 Mar 1981 05:00:00 GMT Pragma: no-cache Set-Cookie: _twitter_sess=BAh7...(lots more here)...3a3; Path=/; Domain=.twitter.com; Secure; HTTPOnly strict-transport-security: max-age=631138519 x-content-type-options: nosniff x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block