HTTP Security Headers Cheatsheet

Quick reference for HTTP security headers covering CSP, transport security, framing protection, content-type, referrer policy, permissions, CORS, and deprecated headers

Related Categories:SecurityWeb

49 commands

default-src

Set default policy for all resource types

Content-Security-Policy: default-src 'self'

script-src

Restrict JavaScript loading sources

Content-Security-Policy: script-src 'self' 'nonce-abc123'

style-src

Restrict CSS stylesheet loading sources

Content-Security-Policy: style-src 'self' 'unsafe-inline'

img-src

Restrict image loading sources

Content-Security-Policy: img-src 'self' data: https:

connect-src

Restrict XHR/Fetch/WebSocket connection targets

Content-Security-Policy: connect-src 'self' https://api.example.com

font-src

Restrict web font loading sources

Content-Security-Policy: font-src 'self' https://fonts.gstatic.com

frame-src

Restrict sources that can be embedded in iframes

Content-Security-Policy: frame-src 'self' https://www.youtube.com

object-src

Restrict plugin (Flash, etc.) sources

Content-Security-Policy: object-src 'none'

base-uri

Restrict URLs that can be used in base element

Content-Security-Policy: base-uri 'self'

form-action

Restrict form submission target URLs

Content-Security-Policy: form-action 'self'

report-uri / report-to

Set CSP violation report destination

Content-Security-Policy: default-src 'self'; report-to csp-reports

CSP nonce

Allow inline scripts with nonce-based approach

<script nonce="abc123">...</script>

CSP hash

Allow inline scripts with hash-based approach

script-src 'sha256-base64encodedHash...'

strict-dynamic

Allow scripts loaded by trusted scripts

script-src 'strict-dynamic' 'nonce-abc123'

CSP Report-Only

Report CSP violations without blocking

Content-Security-Policy-Report-Only: default-src 'self'

Strict-Transport-Security

Force HTTPS connection in browsers

Strict-Transport-Security: max-age=31536000; includeSubDomains

HSTS preload

Strict-Transport-Security: max-age=63072000; includeSubDomains; preload

HSTS includeSubDomains

Apply HSTS to subdomains as well

Strict-Transport-Security: max-age=31536000; includeSubDomains

HTTPSリダイレクト (Nginx)

Redirect HTTP to HTTPS in Nginx

return 301 https://$host$request_uri;

HTTPSリダイレクト (Apache)

Redirect HTTP to HTTPS in Apache

RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]

X-Frame-Options: DENY

Completely prevent page embedding in iframes

X-Frame-Options: DENY

X-Frame-Options: SAMEORIGIN

Allow iframe embedding only from same origin

X-Frame-Options: SAMEORIGIN

CSP frame-ancestors

Successor to X-Frame-Options. More flexible frame control

Content-Security-Policy: frame-ancestors 'self' https://trusted.com

Nginx X-Frame-Options

Set X-Frame-Options header in Nginx

add_header X-Frame-Options "SAMEORIGIN" always;

X-Content-Type-Options

Prevent MIME type sniffing

X-Content-Type-Options: nosniff

正しいContent-Type設定

Set accurate Content-Type on responses

Content-Type: application/json; charset=utf-8

X-Download-Options

Prevent IE from auto-executing downloads

X-Download-Options: noopen

no-referrer

Never send referrer information

Referrer-Policy: no-referrer

same-origin

Send referrer only for same-origin requests

Referrer-Policy: same-origin

strict-origin-when-cross-origin

Recommended. Send only origin for cross-origin requests

Referrer-Policy: strict-origin-when-cross-origin

no-referrer-when-downgrade

No referrer when downgrading from HTTPS to HTTP

Referrer-Policy: no-referrer-when-downgrade

origin

Send only the origin as referrer

Referrer-Policy: origin

camera

Control access to camera

Permissions-Policy: camera=(self)

microphone

Control access to microphone

Permissions-Policy: microphone=()

geolocation

Control access to geolocation

Permissions-Policy: geolocation=(self)

payment

Control usage of Payment Request API

Permissions-Policy: payment=(self)

fullscreen

Control usage of Fullscreen API

Permissions-Policy: fullscreen=(self)

autoplay

Control media autoplay

Permissions-Policy: autoplay=(self)

interest-cohort

Disable FLoC (ad tracking)

Permissions-Policy: interest-cohort=()

Access-Control-Allow-Origin

Specify allowed origins

Access-Control-Allow-Origin: https://example.com

Access-Control-Allow-Methods

Specify allowed HTTP methods

Access-Control-Allow-Methods: GET, POST, PUT, DELETE

Access-Control-Allow-Headers

Specify allowed request headers

Access-Control-Allow-Headers: Content-Type, Authorization

Access-Control-Allow-Credentials

Allow requests with credentials

Access-Control-Allow-Credentials: true

Access-Control-Max-Age

Specify preflight response cache duration

Access-Control-Max-Age: 86400

Access-Control-Expose-Headers

Specify response headers exposed to client

Access-Control-Expose-Headers: X-Request-Id

X-XSS-Protection (非推奨)

Control browser XSS filter. Replaced by CSP

X-XSS-Protection: 0

Public-Key-Pins (非推奨)

Certificate pinning. Replaced by Certificate Transparency

# 使用しないこと / Do not use

Expect-CT (非推奨)

Require Certificate Transparency. Browsers handle by default

# TLS 1.3では不要 / Not needed for TLS 1.3

X-Permitted-Cross-Domain-Policies (非推奨)

Control Flash/Acrobat cross-domain policy. Unnecessary after plugin deprecation

X-Permitted-Cross-Domain-Policies: none