Photo by Maik Jonietz on Unsplash
4. X-Frame-Options
The x-frame-options header provides click jacking protection by not allowing iframes to load on your website. It is supported by IE 8+, Chrome 4.1+, Firefox 3.6.9+, Opera 10.5+, Safari 4+. Here is an example of what the header looks like:
x-frame-options: SAMEORIGIN
Enable in Nginx
add_header x-frame-options "SAMEORIGIN" always;
Enable in Apache
header always set x-frame-options "SAMEORIGIN"
5. Expect-CT
The expect-ct header prevents miss used certificates from being used by allowing websites to report and optionally enforce Certificate Transparency requirements. When this header is enabled the website is requesting the browser to verify whether or not the certificate appears in the public CT logs. Here is an example of what the header looks like:
expect-ct: max-age=604800, enforce, report-uri=”https://www.example.com/report”
Enable in Nginx
add_header expect-ct "max-age=604800, enforce, report-uri='https://www.example.com/report' always;
Enable in Apache
header always set expect-ct "max-age=604800, enforce, report-uri="https://www.example.com/report"
6. X-Content-Type-Options
The x-content-type-options header prevents Internet Explorer and Google Chrome from sniffing a response away from the declared content-type. This helps reduce the danger of drive-by downloads and helps treat the content the right way. Here is an example of what the header looks like:
x-content-type-options: nosniff
Enable in Nginx
add_header x-content-type-options "nosniff" always;
Enable in Apache
header always set x-content-type-options "nosniff"
7. Feature-Policy
The feature-policy header grants the ability to allow or deny browser features, whether in its own frame or content within an inline frame element (<iframe>). Here is an example of what the header looks like:
feature-policy: autoplay 'none'; camera 'none'
Enable in Nginx
add_header feature-policy "autoplay 'none'; camera 'none'" always;
Enable in Apache
header always set feature-policy "autoplay 'none'; camera 'none'"
