How widely used are security-based HTTP response headers?

It&#x27;s unfortunate that response headers on a secure website need to be bloated so much to receive benefits that should be default on modern sites. I imagine a world where you specifically have to opt-in to unsafe behavior, not the other way around, but of course this would break many existing sites.<p>For those of you looking at this, I&#x27;ve found the X-Frame-Options (to prevent clickjacking via iframe) and Content-Security-Policy (to restrict eval, inline JS, JS and embed sources and more) to be the most useful headers by far. If you can run CSP without &#x27;unsafe-eval&#x27; or &#x27;unsafe-inline&#x27; and restrict all sources to your local domain, your site&#x27;s security will be much better for it as an entire range of attacks is eliminated on modern browsers.<p>Of course they are all worth looking at. Scott&#x27;s header test (<a href="https:&#x2F;&#x2F;securityheaders.io" rel="nofollow">https:&#x2F;&#x2F;securityheaders.io</a>) is a great check for your own sites.

CSP breaks bookmarklets in Firefox, which makes it rather user-hostile. This is properly Mozilla&#x27;s fault, but they&#x27;ve shown no interest in fixing it.<p><a href="https:&#x2F;&#x2F;bugzilla.mozilla.org&#x2F;show_bug.cgi?id=866522" rel="nofollow">https:&#x2F;&#x2F;bugzilla.mozilla.org&#x2F;show_bug.cgi?id=866522</a>

HN uses x-frame-options:&quot;DENY&quot; to good effect which takes care of a fair number of click-jack tricks, it also uses strict-transport-security.<p>But there is only so much you can do with headers, the real risks are in the documents themselves.<p>How about a &lt;nojs&gt; &lt;&#x2F;nojs&gt; pair in the primary document disabling any kind of javascript execution in the space between the tags. And those tags should <i>only</i> work in the primary document.

For people using Node&#x2F;Express, Helmet is a useful little library that lets you add these security headers and CSP pretty easily: <a href="https:&#x2F;&#x2F;github.com&#x2F;helmetjs&#x2F;helmet" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;helmetjs&#x2F;helmet</a>

This post encouraged me to go through my own website and add a moderately strict CSP header, sans &#x27;unsafe-inline&#x27; scripts&#x2F;styles. Thanks!

I&#x27;ve found HPKP and HSTS easy to trivial, but gave up on deploying CSP. It&#x27;s major refactoring when so much stuff directly includes 3rd party CSS and script, or just injects static CSS and JS in to pages inline.

I gone through his previous blog post and found the changing Server: header field. Why have to waste time for rebuilding nginx from source for that? Why not just insert &#x27;server_tokens off&#x27; in your nginx.conf?

Can you help me understand the graphs? What is being plotted on the X axis?

I&#x27;d really like to know if any of you have used the report feature. It seems like any report you got would show you a bug in your code. What were the bugs? How many reports did you get?