https://wiki.owasp.org/index.php?action=history&feed=atom&title=Security_Headers 2026-05-06T15:29:22Z Revision history for this page on the wiki MediaWiki 1.27.2 https://wiki.owasp.org/index.php?title=Security_Headers&diff=168772&oldid=prev 2014-02-23T06:19:04Z

<p>first page for the project has been started</p> <p><b>New page</b></p><div>HTTP headers which should be included by default. Methods for modifying or removing the headers for specific instances should be provided, but by default there are secure settings which should be enabled unless there are other overriding concerns.<br /> * X-Frame-Options: SAMEORIGIN [https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options|ref]<br /> * X-XSS-Protection: 1; mode=block [http://blogs.msdn.com/b/ieinternals/archive/2011/01/31/controlling-the-internet-explorer-xss-filter-with-the-x-xss-protection-http-header.aspx|ref]<br /> * X-Content-Type-Options: nosniff <br /> * Content-Type: text/html; charset=utf-8<br /> <br /> Additionally, no headers should be included that needlessly divulge information about the server or it's configuration that an end user wouldn't need.</div>

Ari Elias-Bachrach