HTTP Security Headers

Thats from gulshan ssir website.

This is my website
Can someone help me understand what it is?

These are header response used by browser to secure site. Mozilla Dev page has clear info about these.

In short,


Used to restrict iframing.


with sameorigin value, can be embeded inside and not at other hostname.

Strict Transport Security (HSTS)

Used to enforce always HTTPS policy at browser level.

Strict-Transport-Security	max-age=63072000; includeSubDomains; preload

These are recommended. Not necessarily required.

So does that impact my site security by any means. Also is there a simple fix to it?

It is just fence guard at browser level. Nothing much. Your host can help adding neccessary rules via .htaccess file.

1 Like

Thanks for the help sir!

You’re welcome!

I’d like to add here an interesting thing…

As I said about iframe restricting, this is just one of many ways. If someone want to clone site they can still find many ways, for example with tool like :see_no_evil:

So I’d not suggest completely relying on browser level. There are better ways to secure site such as using Web Firewall server policy.

Do you mean something like word fence can help?

I do not like Application Level Firewall because it can cause performance issues at hosting server.

I’d recommend Sucuri which mitigate DDoS kind of attack at DNS level. It can cache web page at edge making it faster.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.