Security-related HTTP headers

By default, cloud.gov sets several security-related HTTP headers if your application does not:

X-Frame-Options: DENY
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=31536000

These headers reflect some of the main recommendations of the OWASP Secure Headers Project. Many web application security scanners (commonly implemented to help fulfill RA-5) identify lack of these headers as a potential vulnerability, so cloud.gov sets them by default to support your application’s security and security compliance.

To override any of these headers, you can set them to a different value in your application. To omit the X-Frame-Options header entirely, you can set its value to ALLOWALL. Details on the behavior of HTTP headers.