Reference guides to HTTP security headers — what each one does, its syntax, and how to check it.
What the Permissions-Policy header does, how it disables browser features like camera and geolocation to shrink attack surface, and how …
What the Referrer-Policy header does, its values (no-referrer, strict-origin-when-cross-origin, and more), how it prevents URL leaks, and how to check …
What the X-Content-Type-Options: nosniff header does, how it stops MIME sniffing and drive-by execution of uploads, and how to check …
What the X-Frame-Options header does, DENY vs SAMEORIGIN, how it stops clickjacking, how it compares to CSP frame-ancestors, and how …
What the HTTP Strict-Transport-Security (HSTS) header does, its max-age/includeSubDomains/preload directives, the preload list, and how to check it.
What the Content-Security-Policy (CSP) header does, how its directives allowlist sources to stop XSS, an example policy, and how to …
Secably automatically scans for the vulnerabilities covered in these guides.
Start Free Scan