Referencia de Encabezados de Seguridad HTTP
Referencia y verificador de encabezados de seguridad HTTP — CSP, HSTS, X-Frame-Options, CORS y más.
Content-Security-Policy
cspPrevents XSS attacks by controlling which resources the browser is allowed to load.
Recommended Value: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:;
Security Risk Without: Cross-site scripting (XSS) attacks
Content-Security-Policy: default-src 'self'
Strict-Transport-Security
transportForces HTTPS connections and prevents SSL stripping attacks.
Recommended Value: max-age=31536000; includeSubDomains; preload
Security Risk Without: Man-in-the-middle attacks, SSL stripping
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Frame-Options
clickjackingPrevents the page from being displayed in a frame/iframe to protect against clickjacking.
Recommended Value: DENY or SAMEORIGIN
Security Risk Without: Clickjacking attacks
X-Frame-Options: DENY
X-Content-Type-Options
cspPrevents MIME type sniffing which can lead to security vulnerabilities.
Recommended Value: nosniff
Security Risk Without: MIME confusion attacks
X-Content-Type-Options: nosniff
Referrer-Policy
cspControls how much referrer information is included in requests.
Recommended Value: strict-origin-when-cross-origin
Security Risk Without: Information leakage via Referer header
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy
cspControls which browser features and APIs can be used in the browser.
Recommended Value: camera=(), microphone=(), geolocation=(self)
Security Risk Without: Unauthorized access to browser APIs
Permissions-Policy: camera=(), microphone=()
Access-Control-Allow-Origin
corsSpecifies which origins can access the resource.
Recommended Value: Specific origin or same-origin only — avoid wildcard (*) for authenticated resources
Security Risk Without: Cross-origin data access
Access-Control-Allow-Origin: https://example.com
Access-Control-Allow-Methods
corsSpecifies the HTTP methods allowed for cross-origin requests.
Recommended Value: GET, POST, PUT, DELETE (only what is needed)
Security Risk Without: Unauthorized HTTP methods via CORS
Access-Control-Allow-Methods: GET, POST
Cache-Control
cacheControls how responses are cached by browsers and proxies.
Recommended Value: no-store, no-cache (for sensitive data); max-age=31536000 (for static assets)
Security Risk Without: Sensitive data cached and exposed
Cache-Control: no-store, no-cache, must-revalidate
Cross-Origin-Resource-Policy
corsPrevents other origins from reading the response of this resource.
Recommended Value: same-origin or same-site
Security Risk Without: Cross-origin information leakage
Cross-Origin-Resource-Policy: same-origin
Cross-Origin-Opener-Policy
corsAllows you to ensure a top-level document does not share a browsing context group with cross-origin documents.
Recommended Value: same-origin
Security Risk Without: Cross-origin attacks via shared browsing context
Cross-Origin-Opener-Policy: same-origin
X-XSS-Protection
cspLegacy header — enables the browser's built-in XSS filter. Mostly superseded by CSP.
Recommended Value: 1; mode=block (legacy) or omit in favor of CSP
Security Risk Without: XSS attacks in older browsers without CSP
X-XSS-Protection: 1; mode=block
Header Checker
Paste your HTTP response headers to check
Preguntas Frecuentes
Comments & Feedback
Comments are powered by Giscus. Sign in with GitHub to leave a comment.