Security
Modern HTTP security headers
HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy. The six headers every modern site should ship.
What it is
A baseline set of HTTP response headers that defend against common web attacks: protocol downgrade, clickjacking, MIME-sniffing, cross-site script injection, leaky referrers, and unwanted browser feature access.
Why it matters
Most of these headers are one-line config in your CDN or origin server. Missing them is the single biggest 'low-hanging fruit' finding in any security review.
Who it applies to
Every site over HTTPS — which by 2026 is every site.
How WQI scores it
Web Quality Index considers this standard satisfied when the supporting factor passes.
| # | Factor | Status |
|---|---|---|
| 4 | Security headers (HSTS, CSP, X-Frame-Options, Referrer-Policy, Permissions-Policy, X-Content-Type-Options) | live |
Related standards
- See also
- HSTS , HSTS Preload , TLS 1.2+ , CSP 3 , SRI , Cross-Origin isolation , Permissions-Policy , Referrer-Policy , XFO , nosniff
Standards that share factors with this one
Auto-computed from overlapping factor tickets in satisfiedBy, excluding standards already listed under "See also" above. Strong overlap suggests these standards rise and fall together when sites are scored.
Other references
- guidance MDN — HTTP security headers
- tooling Mozilla Observatory
- rfc RFC 6797 — HTTP Strict Transport Security
Examples
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
Content-Security-Policy: default-src 'self'; script-src 'self' 'strict-dynamic'; object-src 'none'; base-uri 'none'; frame-ancestors 'none'
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: camera=(), microphone=(), geolocation=(), interest-cohort=()A reasonable starting point. Tighten CSP per-app once you've inventoried script sources; loosen Permissions-Policy only when a feature is actually used.