LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

How do you configure secure HTTP response headers to prevent common attacks?

Set security headers on every response — a handful of one-line HTTP headers that form the browser-side first line of defence against XSS, clickjacking, protocol downgrade, and data leaks.

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self'
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: camera=(), microphone=(), geolocation=()
Cache-Control: no-store
Header Prevents Impact of missing
HSTS Protocol downgrade, cookie hijacking Users can be redirected to HTTP
CSP XSS, data injection Injected scripts can execute freely
X-Content-Type-Options MIME-type sniffing Browser may execute uploaded files as scripts
X-Frame-Options Clickjacking Site can be embedded in malicious iframe
Referrer-Policy URL leakage to third parties Sensitive URL parameters exposed
Permissions-Policy Unwanted API access Embedded content can access camera, mic
Cache-Control: no-store Cached sensitive data Sensitive responses stored on disk

See: OWASP Secure Headers Project | securityheaders.com — scan your site's headers

Go deeper:

From Quiz: SPRG / OWASP Top 10 | Updated: Jul 14, 2026