====== Security Headers ====== ^ Header ^ Spezifikation |^ Doc ^ Anwendbarkeit |^ Sane\\ Default | Setzen durch ^ Google? ^ Notes ^ | ^ Erste ^ Aktuelle | ^ Website ^ Resources ^ | ^ | | | X-Frame-Options | [[https://tools.ietf.org/html/rfc7034|RFC 7034]] (2013) \\ [[https://blogs.msdn.microsoft.com/ieinternals/2010/03/30/combating-clickjacking-with-x-frame-options/|Microsoft]] (2009) || [[https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options|Moz]] | (V)\\ Die durch Server o. Client dynamisch sind | %%(%%(V)%%)%% ((Macht wenig Sinn)) | ''DENY''\\ ''SAMEORIGIN'' | App -> View -> Immer | (V)\\ Für Webseite | Ersetzt durch `Frame-Options` in CSP\\ Meta-Tags funktionieren nicht [(https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Clickjacking_Defense_Cheat_Sheet.md#common-defense-mistakes)] | | Strict-Transport-Security | [[https://tools.ietf.org/html/rfc6797|RFC 6797]] (2012) || [[https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security|Moz]] | (V) | (V) | ''max-age=31536000; includeSubDomains;''\\ (!) ''includeSubDomains'' nicht, wenn Büronetz mit HTTP-only Geräten. | SSL Endpunkt -> Immer | %%(%%(X)%%)%%\\ Nicht nötig, machen preloading | | | Referrer-Policy | [[https://www.w3.org/TR/referrer-policy/|w3]] (2017) || [[https://scotthelme.co.uk/a-new-security-header-referrer-policy/|Scott Helme]], [[https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy|Moz]] | (V) | CSS | ''no-referrer''\\ ''strict-origin'' | App -> View -> Immer\\ Server -> CSS -> Immer | (X) | Veraltet in CSP | | X-Content-Type-Options | [[https://blogs.msdn.microsoft.com/ie/2008/09/02/ie8-security-part-vi-beta-2-update/|Microsoft]] (2008) | | [[https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options|Moz]] | (V) | (V)\\ [[https://github.com/whatwg/fetch/issues/395|Probleme mit Bildern?]] | ''no-sniff'' | | %%(%%(V)%%)%%\\ Für Resourcen | |