Security Headers
Add HTTP security headers to protect your site against common web vulnerabilities.
Configuring security headers
- Go to your site's Access tab
- Under Security Headers, configure the headers you want
- Click Save
Available headers
X-Frame-Options
Prevents your site from being embedded in iframes on other domains. This protects against clickjacking attacks.
| Value | Description |
|---|---|
DENY | Prevents all framing |
SAMEORIGIN | Only allows framing from the same origin |
X-Content-Type-Options
When enabled, adds nosniff to prevent browsers from MIME-type sniffing. This stops browsers from interpreting files as a different content type than declared.
Referrer-Policy
Controls how much referrer information is sent with requests.
| Value | Description |
|---|---|
no-referrer | No referrer information is sent |
origin | Only the origin (domain) is sent |
strict-origin | Origin is sent, but only over HTTPS |
strict-origin-when-cross-origin | Full URL for same-origin, origin only for cross-origin |
Content-Security-Policy (CSP)
A powerful header that controls which resources the browser is allowed to load. Helps prevent XSS attacks.
Example:
default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:;
Permissions-Policy
Controls which browser features your site can use (camera, microphone, geolocation, etc.).
Example:
camera=(), microphone=(), geolocation=()
This disables camera, microphone, and geolocation access for your site.