OWASP Secure Headers Project

Jump to: navigation, search

Incubator banner.jpg

OWASP Secure Headers Project

OWASP Secure Headers Project involves setting headers from the server is easy and often doesn't require any code changes. Once set, they can restrict modern browsers from running into easily preventable vulnerabilities. OWASP Secure Headers Project intends to raise awareness and use of these headers.


HTTP headers are well known and also despised. Seeking the balance between usability and security developers implement functionality through the headers that can make your more versatile or secure application. But in practice how the headers are being implemented? What sites follow the best implementation practices? Big companies, small, all or none?


We aim to publish reports on header usage stats, developments and changes. Code libraries that make these headers easily accessible to developers on a range of platforms. Data sets concerning the general usage of these headers.


OWASP Secure Headers is free to use. It is licensed under the Apache 2.0 license.

What is the OWASP Secure Headers Project?

OWASP Secure Headers Project provides:

  • Security best practices for HTTP headers
  • Security tools for HTTP headers

Project Leader

Ricardo Iramar

Related Projects

Quick Links

Email List

Project Email List

News and Events

  • [14 Dec 2015] Reborning from the ashes


New projects.png Owasp-builders-small.png
Project Type Files CODE.jpg

A list of headers related to security and how to implement them properly.


X-Frame-Options response header improve the protection of web applications against Clickjacking. It declares a policy communicated from a host to the client browser on whether the browser must not display the transmitted content in frames of other web pages.


Value Description
deny No rendering within a frame.
sameorigin No rendering if origin mismatch.
allow-from: DOMAIN Allow rendering if framed by frame loaded from DOMAIN.

Best Practices

  • Apache
Add this line below into your site's configuration to configure Apache to send X-Frame-Options header for all pages.
Header always append X-Frame-Options DENY
  • nginx
  • IIS

A list of tools that can help you to achieve the on of the goals of this project.


A security scanner for HTTP response headers.

Github: https://github.com/riramar/hsecscan


There are services out there that will analyse the HTTP response headers of other sites but I also wanted to add a rating system to the results. The HTTP response headers that this site analayses provide huge levels of protection and it's important that sites deploy them. Hopefully, by providing an easy mechanism to assess them, and further information on how to deploy missing headers, we can drive up the usage of security based headers across the web.

Site: https://securityheaders.io


When a site deploys a Content Security Policy or HTTP Public Key Pinning, the browser will enforce the security policies declared by the site. This is great as it offers visitors more protection but the only problem is, the host doesn't know that there's a problem. The browser will block malicious content, such as an XSS attack, but the host wouldn't know anything about it and as such, can't resolve the problem. This is the problem that report-uri.io fixes. With your own unique reporting endpoint the browser can send a violation report to us and you can monitor exactly what is happening on your site. You can see what security policies are being triggered, where and why.

Site: https://report-uri.io


secure_headers is a library for ruby with a global config, per request overrides, and rack milddleware that enables you customize your application settings.

Github: https://github.com/twitter/secureheaders

Security Header Injection Module (SHIM)

SHIM is a HTTP module that provides protection for many vulnerabilities by injecting security-specific HTTP headers into ASP.NET web applications.

Site: https://shim.codeplex.com

What is HTTP header?
HTTP header fields are components of the header section of request and response messages in the Hypertext Transfer Protocol (HTTP). They define the operating parameters of an HTTP transaction.
Is there a standard for HTTP headers?
A core set of fields is standardized by the Internet Engineering Task Force (IETF) in RFCs 7230, 7231, 7232, 7233, 7234, and 7235. The permanent registry of header fields and repository of provisional registrations are maintained by the IANA. Additional field names and permissible values may be defined by each application. Non-standard header fields were conventionally marked by prefixing the field name with X- but this convention was deprecated in June 2012 because of the inconveniences it caused when non-standard fields became standard. An earlier restriction on use of Downgraded- was lifted in March 2013.


OWASP Secure Headers Project is developed by a worldwide team of volunteers. The primary contributors to date have been:

  • Ricardo Iramar
  • Jim Manico

2016 Priorities

OWASP Secure Headers Project intends to raise awareness and usage of headers sent by the server that can increase security. We'll aim to bring this about by:

  • Producing open source, easily implemented, well documented code libraries that enable these headers for a variety of platforms. We'll prioritize creating and publicizing Node.JS, PHP, Ruby, and Java, but will eventually reach out towards edge cases like Go, Python and others. The key is to make this accessible as possible to developers.
  • Creating secure best practices implementations including how to set properly secure headers on the most common platforms (eg. Apache, NGINX, IIS, etc.).
  • Improve constantly hsecscan tool to detect bad practices and provide link to the best practices above.
  • Perform public to scan websites using hsecscan and view stats regarding these headers. Automated scanning of the top 1m sites on the web; filtering of said sites to view stats across industries and countries; published database dumps for public consumption/tools; scanning of individual sites; comparing multiple scanned sites.
  • Consistent reports regarding this secure headers, their usage, any changes to existing headers.

Involvement in the development and promotion of OWASP Secure Headers Project is actively encouraged! You do not have to be a security expert in order to contribute. If you want to help send an email to ricardo.iramar@gmail.com.