Summer's Words

HTTP Headers of Note for Synergizing into a Cohesive Security Stratagem

You are tired, hungry, but you need to secure your site from yourself before you go out of control! Lucky for you, I was tired and hungry too, but not anymore! With my 12-step program you too can be secure and well fed!


These 4 headers will help you deal with ShaÆSeer moving against your global defenses.

No one knows how they work, or what they do. I ran them through an AI called warm alcohol and this is what the AI responded with before shutting down for the night.


Helps you control embedding other origins into your own origin. No one knows what this means.


Makes a new browsing context when you navigate to, or navigate from, a given origin that has the header. No one knows what this means.


I don't even know anymore. Its not even in the same specification. No one knows what this does either.


Cope is what I need to do when I read through HTTP specifications, but otherwise does not exist as a header.

Additional Reading

MDN's article on CORPs exists, but MDN is usually wrong. So read the specifications. Then give up 5 minutes later. Then copy the following and pretend you know what you are doing:

Cross-Origin-Embedder-Policy: 'require-corp'
Cross-Origin-Opener-Policy: 'same-origin'
Cross-Origin-Resource-Policy: 'same-origin'


Does not allow saying "I don't want any permissions", I'm not going to type out each one, do it yourself. You can't even find a proper list of them. Horrible, 1/10 header.

Permissions-Policy: payment=(), picture-in-picture=()


The famous one. Have fun trying to find all the extra options for this header.

Content-Security-Policy: default-src 'none'; frame-ancestors 'none';
    form-action 'none'; require-trusted-types-for 'script';
    trusted-types; disown-opener; sandbox; base-uri 'none'

No, you can't wrap header values like that, don't do it.


Also known as the number 1 way to lock yourself out of your website, HSTS facilitates forcing your site to be accessed over HTTPS

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Will make your site never use HTTP again! Seriously.


Much like my ex, there isn't much trust. If you want more trust, tell clients to trust you and to follow your Content-Type header and stop trying to be smart.

X-Content-Type-Options: nosniff

Discuss This Post