Skip to main content Skip to section navigation
U.S. flag

An official website of the United States government

Security-related HTTP headers

By default, sets several security-related HTTP headers if your application does not:

X-Frame-Options: DENY
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=31536000

These headers reflect some of the main recommendations of the OWASP Secure Headers Project. Many web application security scanners (commonly implemented to help fulfill RA-5) identify lack of these headers as a potential vulnerability, so sets them by default to support your application’s security and security compliance.

To override any of these headers, you can set them to a different value in your application. To omit the X-Frame-Options header entirely, you can set its value to ALLOWALL. Details on the behavior of HTTP headers.

An official website of the U.S. General Services Administration

Looking for U.S. government information and services?