Security headers are an important tool for helping to protect websites and web applications from certain types of attacks. Security headers are HTTP response headers that a server can send to a client (usually a web browser) when it serves a webpage. The client will then use the information in the headers to make security-related decisions about how to handle the webpage. For example, when a browser receives a Content-Security-Policy header, it will use the rules specified in the header to determine what types of resources (e.g. scripts, images, etc.) are allowed to be loaded by the webpage. If the webpage tries to load a resource that is not allowed by the CSP, the browser will block the resource from being loaded.
Recommended security headers are security headers we recommend to set on every website. These headers will improve security for your websites visitors without disrupting functionality. Most of these headers will be enabled automatically when you activate Really Simple SSL Pro. An exception to this is the HTST header, because browsers remember this setting it cannot effectively be disabled without consequences so we leave it up to you to enable this header.
We currently recommend the following security headers for almost all* websites:
- HSTS -> max-age=63072000; includeSubDomains; preload
- X-Content-Type-Options -> nosniff
- X-XSS-Protection -> 0
- X-Frame-Options -> SAMEORIGIN
- Referrer-Policy -> strict-origin-when-cross-origin
- Content-Security-Policy -> upgrade-insecure-requests
* = There may be very specific circumstances where a recommended security header would need be changed to support functionality of your website. You can change the defaults set by Really Simple SSL in the settings.
