HTTP Header Security Best Practices
Configure security headers including CSP, HSTS, X-Frame-Options, and permissions policy for web applications.
Hash Generator
Generate SHA-1, SHA-256, SHA-384, SHA-512 hashes from text
HTTP Security Headers
Security headers tell browsers how to handle your content, preventing entire classes of attacks. A properly configured header set blocks XSS, clickjacking, MIME sniffing, and protocol downgrade attacks.
Content-Security-Policy (CSP)
CSP defines which sources can load scripts, styles, images, and other resources. Start with a restrictive policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'. Add sources as needed. 'unsafe-inline' for scripts should be avoided — use nonces or hashes instead. CSP blocks inline scripts, which is the primary XSS mitigation.
Strict-Transport-Security (HSTS)
HSTS forces browsers to use HTTPS for all future requests to your domain. Set Strict-Transport-Security: max-age=31536000; includeSubDomains; preload. The max-age of one year is standard. includeSubDomains applies HSTS to all subdomains. preload submits your domain to browser preload lists, ensuring HTTPS-only access even on the first visit.
X-Content-Type-Options
X-Content-Type-Options: nosniff prevents browsers from MIME-type sniffing — interpreting file types based on content rather than the declared Content-Type. Without this header, a file served as text/plain but containing HTML/JavaScript could be executed by the browser.
X-Frame-Options and frame-ancestors
X-Frame-Options: DENY prevents your site from being embedded in iframes, blocking clickjacking attacks. The modern replacement is the CSP frame-ancestors directive: frame-ancestors 'self' allows framing only by your own domain. Use frame-ancestors 'none' for the same effect as DENY.
Permissions-Policy
Permissions-Policy (formerly Feature-Policy) controls which browser features your site can use: camera, microphone, geolocation, payment, fullscreen. Set Permissions-Policy: camera=(), microphone=(), geolocation=() to explicitly disable features you don't need, preventing them from being exploited if your site is compromised.
Verification
Use browser-based security header checkers to verify your configuration. Headers like CSP can break functionality if too restrictive — test in report-only mode first (Content-Security-Policy-Report-Only) before enforcing.
เครื่องมือที่เกี่ยวข้อง
รูปแบบที่เกี่ยวข้อง
คู่มือที่เกี่ยวข้อง
JSON vs YAML vs TOML: Choosing a Configuration Format
Configuration files are the backbone of modern applications. JSON, YAML, and TOML each offer different trade-offs between readability, complexity, and tooling support that affect your development workflow.
How to Format and Validate JSON Data
Malformed JSON causes silent failures in APIs and configuration files. Learn how to format, validate, and debug JSON documents to prevent integration errors and improve readability.
Base64 Encoding: How It Works and When to Use It
Base64 converts binary data into ASCII text, making it safe for transmission through text-based systems. Learn when Base64 is the right choice and when alternatives like hex encoding or URL encoding are more appropriate.
Best Practices for Working with Unix Timestamps
Unix timestamps provide a language-agnostic way to represent points in time, but they come with pitfalls around time zones, precision, and the 2038 problem. This guide covers best practices for storing and converting timestamps.
Troubleshooting JWT Token Issues
JSON Web Tokens are widely used for authentication but can be frustrating to debug. This guide covers common JWT problems including expiration errors, signature mismatches, and payload decoding issues.