OWASP Secure Headers Project

The OWASP Secure Headers Project maintains the definitive guide to HTTP security headers. Here are their 2024 recommendations:

Critical Headers (Tier 1)

Content-Security-Policy

Required for all websites

Strict-Transport-Security

Required for all websites

X-Content-Type-Options

Required for all websites

X-Frame-Options

Required for all websites

Recommended Headers (Tier 2)

Referrer-Policy

Recommended for most sites

Permissions-Policy

Recommended for most sites

Cross-Origin-Opener-Policy

Recommended for most sites

Cross-Origin-Embedder-Policy

Recommended for most sites

Implementation Checklist

All Tier 1 headers implemented
Tier 2 headers evaluated for applicability
Headers configured with secure values
Regular scanning for header changes
Monitoring for deprecated headers

Header Deprecation Timeline

2023

Feature-Policy → Permissions-Policy

2024

X-XSS-Protection deprecated

How compliant is your site?

Compare your headers against OWASP's latest recommendations.

Run OWASP Compliance Scan