| Header Name | Description | Setting Example | Setting Explanation |
|---|---|---|---|
| X-Frame-Options |
Set up a domain where Iframes can be loaded. Specify this header to prevent clickjacking. |
X-Frame-Options: SAMEORIGIN |
DENY: Block iframes on the same domain SAMEORIGIN:同Allow iframes on the same domain ALLOW-FROM origin_uri:Allow iframes on specific domains |
| X-XSS-Protection | Enable or disable XSS protection. | X-XSS-Protection: 1 X-XSS-Protection: 1; mode=block |
0:Disable XSS filter 1:Enable XSS filter |
| Strict-Transport-Security | Force requests for the same domain from browsers to HTTPS | Strict-Transport-Security: max-age=86400 |
max-age: Enables the specified time setting. includeSubDomains: Enable the setting to subdomains. The Strict-Transport-Security setting in the http response header will be ignored. This is because http communication is susceptible to tampering. If there are no certificate errors or any other problems with communication over https, the browser will force access over https according to the Strict-Transport-Security specification, if any. |
| X-Content-Type-Options |
Set IE to not perform file type guessing. It can prevent XSS from occurring by recognizing a file that is not html as html. |
X-Content-Type-Options: nosniff | Do not use guesswork to determine file types |
| X-Download-Options | You can configure settings such as not allowing downloaded files to be opened directly | X-Download-Options: noopen | You will only be able to save it locally |
| Content-Security-Policy | It will only get scripts and css from specific trusted locations. | Content-Security-Policy: default-src 'self' |
default-src 'self':同Allow loading of resources from the same domain default-src 'self' *.xxxx.com:Allow loading of resources from the same domain and subdomains of a specific domain |
| Set-Cookie | It is used to make the browser store cookies. | Set-Cookie: name=value; secure; HttpOnly path=/; domain=xxx.xxxx.co.jp; samesite=Lax |
secure: Sets a cookie to be sent only when HTTPS communication is used. HttpOnly: Set a cookie that cannot be accessed by JavaScript. path: Specifies the path to send cookies. domain: Set the domain to which you want to send cookies with backward matching. samesite: You can set the conditions under which cookies are sent. In brief, you can set None: none, Lax: low, and strict: high. |
| Cache-Control | Used to control the browser cache | Cache-Control: no-cache, no-store, must-revalidate |
no-cache: Cache servers are not saved. must-revalidate: Check if the cache file is up to date. |