Installation checklist Security headers

The following headers should always be configured on any web server deployment:

Header Value Description
Strict-Transport-Security max-age=31536000; includeSubDomains Bypass http redirect to https
X-XSS-Protection 1;mode=block Prevents some cross site scripting attacks
X-Content-Type-Options nosniff Do not second guess the contenttype header

The following headers can usually be configured on a web server:

Header Value Condition Alternative value
X-Frame-Options sameorigin Unless another host will frame the site allow-from https://example.com/
Referrer-Policy same-origin Unless another host needs referrer information from your site no-referrer-when-downgrade