Installation checklist Security headers
(Not Related to a Specific Release) - (Not Related to a Specific Release)
The following headers should always be configured on any web server deployment:
| Header | Value | Description |
|---|---|---|
| Strict-Transport-Security | max-age=31536000; includeSubDomains | Bypass http redirect to https |
| X-XSS-Protection | 1;mode=block | Prevents some cross site scripting attacks |
| X-Content-Type-Options | nosniff | Do not second guess the contenttype header |
The following headers can usually be configured on a web server:
| Header | Value | Condition | Alternative value |
|---|---|---|---|
| X-Frame-Options | sameorigin | Unless another host will frame the site | allow-from https://example.com/ |
| Referrer-Policy | same-origin | Unless another host needs referrer information from your site | no-referrer-when-downgrade |