Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Response Header

General Requirement

For Web UI?

For APIs?

Content-Type

...; charset=utf-8

Yes

Yes

Strict-Transport-Security[1]

max-age=10886400; includeSubDomains; preload

Yes (if HTTPS)

Yes

X-XSS-Protection[2]

1; mode=block

Yes

No

X-Frame-Options

SAMEORIGIN

Yes

No

Referrer Policy

same-origin

Yes

No

X-Content-Type-Options[3]

nosniff

Yes

No

Headers that must be set within the Web application:

Response Header

General Requirement

For Web UI?

For APIs?

Set-Cookie

… ;httpOnly; secure; SameSite

Yes, when they transfer of confidential data in cookies

Yes, when they transfer of confidential data in cookies

Cache-Control

no-cache, no-store

Whenever confidential data is transmitted.

Whenever confidential data is transmitted.

Pragma

no-cache

Expires

-1

Content-Security-Policy[4]

object-src 'none'; script-src ‘self’ [URL1] [URL2]; style-src ‘self’ unsafe-inline; object-src ‘self‘;base-uri 'none';

General recommendation for new for all Web UIs. Not required for APIs.

No (but does no harm if yes)

object-src 'none';
script-src 'nonce-{random}' 'unsafe-inline' 'unsafe-eval' 'strict-dynamic' https: http:;
base-uri 'none';
report-uri https://your-report-collector.example.com/

Recommendation for new Web UIs that have to use inline script blocks (e.g. if integrated by a JS framework).

Do not use this setting if you do not have to since it disables CSP protection for older browsers!

No

Content-Disposition

attachment; filename=<filename>

Web UIs  at which users can download files that are potentially untrusted.

No

X-Download-Options

noopen

No

...