SecurityHeaderTrait

Security HTTP header names (modern best practices).

Tags

author

Marc Alcaraz (ekameleon)

since

1.1.0

Table of Contents

Constants

CLEAR_SITE_DATA  : string = 'Clear-Site-Data'

`Clear-Site-Data` — Clears browsing data (cookies, storage, cache) for the origin (W3C).

CONTENT_SECURITY_POLICY  : string = 'Content-Security-Policy'

`Content-Security-Policy` — Controls resources the user agent may load (CSP Level 3).

CONTENT_SECURITY_POLICY_REPORT_ONLY  : string = 'Content-Security-Policy-Report-Only'

`Content-Security-Policy-Report-Only` — Monitors a CSP without enforcing it.

CROSS_ORIGIN_EMBEDDER_POLICY  : string = 'Cross-Origin-Embedder-Policy'

`Cross-Origin-Embedder-Policy` — Requires cross-origin resources to opt in to embedding.

CROSS_ORIGIN_OPENER_POLICY  : string = 'Cross-Origin-Opener-Policy'

`Cross-Origin-Opener-Policy` — Isolates the browsing context group from cross-origin documents.

CROSS_ORIGIN_RESOURCE_POLICY  : string = 'Cross-Origin-Resource-Policy'

`Cross-Origin-Resource-Policy` — Restricts which origins may embed the resource.

PERMISSIONS_POLICY  : string = 'Permissions-Policy'

`Permissions-Policy` — Enables or disables browser features for the document.

REFERRER_POLICY  : string = 'Referrer-Policy'

`Referrer-Policy` — Controls how much referrer information is sent (W3C).

STRICT_TRANSPORT_SECURITY  : string = 'Strict-Transport-Security'

`Strict-Transport-Security` — Enforces HTTPS for future requests (HSTS, RFC 6797).

X_CONTENT_TYPE_OPTIONS  : string = 'X-Content-Type-Options'

`X-Content-Type-Options` — `nosniff` disables MIME-type sniffing.

X_FRAME_OPTIONS  : string = 'X-Frame-Options'

`X-Frame-Options` — Legacy clickjacking protection, superseded by CSP `frame-ancestors`.

X_XSS_PROTECTION  : string = 'X-XSS-Protection'

`X-XSS-Protection` — Legacy XSS filter control (deprecated; prefer CSP).