Modern web browsers support several additional client-side protection mechanisms that can be activated using HTTP response headers. The table below describes related requirements and recommendations for external Web UIs and services in production:
...
Response Header | General Requirement | For Web UI? | For APIAPIs? |
Content-Type |
| Yes | Yes |
Strict-Transport-Security[1] |
| Yes (is if HTTPS) | Yes |
X-XSS-Protection[2] |
| Yes | No |
X-Frame-Options |
| Yes | No |
Referrer Policy |
| Yes | No |
X-Content-Type-Options[3] |
| Yes | No |
Headers that must be set within the Web application:
Response Header | General Requirement | For Web UI? | For APIAPIs? |
Set-Cookie |
| Yes, when they transfer of confidential data in cookies | Yes, when they transfer of confidential data in cookies |
Cache-Control |
| Whenever confidential data is transmitted. | Whenever confidential data is transmitted. |
Pragma |
| ||
Expires |
| ||
Content-Security-Policy[4] |
| General recommendation for new for all Web UIs. Not required for APIs. | No (but does no harm if yes) |
| Recommendation for new Web UIs that have to use inline script blocks (e.g. if integrated by a JS framework). Do not use this setting if you do not have to since it disables CSP protection for older browsers! | No | |
Content-Disposition |
| Web UIs at which users can download files that are potentially untrusted. | No |
X-Download-Options |
| No |
...