HTTP Security Headers establish rules for browsers that are connecting to a web page. Maintaining best practices for HTTP Security Headers provides a more secure browsing experience for users and your website. Modification to these headers could impact the functionality of your website. Ensure that all changes are tested before moving to production. While many headers have straightforward recommended values, there are several (Content-Security-Policy and Feature-Policy) that are configured specific to your website.
Recommended Value: Example value (note this must be customized to what scripts sources will be allowed to run on your website)
default-src 'self' allowedsite1.com allowedsite2.com allowedsite3.com;
Information on additional configuration options is available here.
Recommended Value: none
Recommended Value: "cache","cookies","storage"
Recommended Value: require-corp
Recommended Value: same-origin
Recommended Value: same-origin
Recommended Value: no-store, max-age=0
Recommended Value: max-age=31536000 ; includeSubDomains
Recommended Value: deny
Recommended Value: Note that this security header was deprecated in June 2021 and is being phased out. The following is an example configuration that could be used (be sure to modify the report-uri):
Expect-CT: max-age=86400, enforce, report-uri="https://foo.example/report"
Recommended Value: nosniff
Recommended Value: Note that this security header is in the process of being deprecated and will be split into Permissions-Policy and Document-Policy. Refer to his link for features that are present in your website and explicitly allow them. Alternatively, select features that should not be allowed.
Feature-Policy: <feature> <allow list origin(s)>
Recommended Value: no-referrer
Sources
https://owasp.org/www-project-secure-headers
https://content-security-policy.com/
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy