Security Headers

Good configurations are safe by default, allow flexibility, and warn against mistakes.

Allow users to configure these in a guided manner. I.e. not just as free text custom headers, but as named options with sensible defaults and data validation.

Measurements

A+ https://securityheaders.io/?q=securityheaders.io&followRedirects=on

F https://securityheaders.io/?q=http2.live&followRedirects=on

Headers to Implement

  • Strict-Transport-Security (HSTS) #29 (closed)
  • Content-Security-Policy
  • Public-Key-Pins
  • X-Frame-Options
  • X-Xss-Protection
  • X-Content-Type-Options
  • Referrer-Policy
Edited by Sebastiaan Deckers