What are "security headers"?

I see this under Transform Rules:

Add security headers
Adds several security-related HTTP response headers providing cross-site scripting (XSS) protection.

This is pretty vague, can anyone offer more insight on what this actually does and if I should enable it?

Any downsides to enabling it? If not, why isn’t it enabled by default?

If you run this scan, it’ll give you a good rundown on what it all means:

Comparing a site with and a site without it enabled, the only difference was:

X-Content-Type-Options
[X-Content-Type-Options] stops a browser from trying to MIME-sniff the content type
 and forces it to stick with the declared content-type. The only valid value for this 
header is "X-Content-Type-Options: nosniff".

So I guess it doesn’t hurt to enable that, and there doesn’t appear to be anything else that I should do beyond enabling it.

I’m still missing Strict-Transport-Security, Content-Security-Policy, and Permissions-Policy, so I guess they need work beyond this option :frowning:

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.