As you might guess from the name, the Clear-Site-Data HTTP header is a powerful tool that instructs a client (usually a browser) to clear stored data related to a website. This includes cache, storage, cookies, or even all site data. By implementing this header, you gain precise control over how your website’s data is managed […]
Permissions-Policy: Control Browser Features with HTTP Headers Earlier known as Feature-Policy, this header has been renamed Permissions-Policy with enhanced capabilities. To understand the significant differences between Feature-Policy and Permissions-Policy, you can check detailed resources that explain the updates and improvements. With Permissions-Policy, you gain granular control over browser features such as geolocation, fullscreen, microphone, camera,
Permissions-Policy Read More »
Looking to control the referrer-policy of your site? There are certain privacy and security benefits. However, not all the options are supported by all the browsers, so review your requirements before the implementation. Referrer-Policy supports the following syntax. Value Description no-referrer Referrer information will not be sent with the request. no-referrer-when-downgrade The default setting where
Using Adobe products like PDF, Flash, etc.? You can implement this header to instruct the browser on how to handle the requests over a cross-domain. By implementing this header, you restrict loading your site’s assets from other domains to avoid resource abuse. There are a few options available. Value Description none no policy is allowed
X-Permitted-Cross-Domain-Policies Read More »
Prevent XSS, clickjacking, code injection attacks by implementing the Content Security Policy (CSP) header in your web page HTTP response. CSP instruct browser to load allowed content to load on the website. All browsers don’t support CSP, so you got to verify before implementing it. There are three ways you can achieve CSP headers. Content-Security-Policy – Level 2/1.0 X-Content-Security-Policy –
Content Security Policy Read More »
Prevent MIME types of security risk by adding this header to your web page’s HTTP response. Having this header instructs browser to consider file types as defined and disallow content sniffing. There is only one parameter you got to add “nosniff”. Let’s see how to advertise this header. Apache You can do this by adding the below
X-Content-Type-Options Read More »
Use the X-Frame-Options header to prevent Clickjacking vulnerability on your website. By implementing this header, you instruct the browser not to embed your web page in frame/iframe. This has some limitations in browser support, so you got to check before implementing it. You can configure the following three parameters. Parameter Value Meaning SAMEORIGIN Frame/iframe of content is
HSTS (HTTP Strict Transport Security) header to ensure all communication from a browser is sent over HTTPS (HTTP Secure). This prevents HTTPS click-through prompts and redirects HTTP requests to HTTPS. Before implementing this header, you must ensure all your website page is accessible over HTTPS else they will be blocked. HSTS header is supported on
HTTP Strict Transport Security Read More »
Everything to keep in mind when designing and building a mega-dropdown, common pitfalls, hover entry/exit delays, trajectory triangle technique and SVG path exit areas.