HTTP Security Headers & security.txt

Complete Guide to Web Security - Protecting Against Web Vulnerabilities with Security Headers

Why Security Headers Matter: Preventing Common Web Attacks

Security headers provide essential protection against clickjacking, MIME sniffing attacks, and information leakage. Missing security headers leave your website vulnerable to common attacks that are easy for attackers to exploit.

For government agencies, security headers are fundamental defenses against web attacks. security.txt provides a standard way for security researchers to report vulnerabilities, improving overall security.

What are Security Headers?

HTTP security headers are response headers that tell browsers how to handle web content and provide additional security controls. They protect against common web vulnerabilities like clickjacking, MIME type sniffing, and information leakage.

Security headers include:

  • X-Frame-Options: Prevents clickjacking attacks
  • X-Content-Type-Options: Prevents MIME type sniffing attacks
  • Referrer-Policy: Controls referrer information leakage
  • Content-Security-Policy: Controls resource loading (advanced)

X-Frame-Options

X-Frame-Options prevents clickjacking attacks by controlling whether your website can be embedded in frames (iframes). Clickjacking occurs when attackers embed your website in a malicious frame and trick users into clicking on elements they don't see.

X-Frame-Options Values

  • DENY: Prevents any framing (recommended for government agencies)
  • SAMEORIGIN: Allows framing only by same origin
  • ALLOW-FROM: Deprecated, do not use

Recommended: Use DENY for maximum protection, or SAMEORIGIN if you need legitimate same-origin framing.

Example Header

X-Frame-Options: DENY

X-Content-Type-Options

X-Content-Type-Options: nosniff prevents MIME type sniffing attacks. Without this header, browsers may "sniff" file types and interpret files differently than their declared content type, allowing attackers to execute malicious scripts.

Example Header

X-Content-Type-Options: nosniff

Always use: nosniff - this is the only valid value and should always be set.

Referrer-Policy

Referrer-Policy controls how much referrer information is sent to other sites when users click links. This prevents information leakage that could expose sensitive URLs or user information.

Referrer-Policy Values

  • no-referrer: Never send referrer information (most secure)
  • strict-origin-when-cross-origin: Send full URL for same-origin, origin only for cross-origin (recommended)
  • same-origin: Send referrer only for same-origin requests
  • origin: Send only origin (scheme + host + port)

Recommended: Use strict-origin-when-cross-origin for a balance of security and functionality, or no-referrer for maximum security.

Example Header

Referrer-Policy: strict-origin-when-cross-origin

security.txt (RFC 9116)

security.txt is a standard file (RFC 9116) that provides information for security researchers about how to report security vulnerabilities. It makes it easy for researchers to find your security contact information and reporting process.

security.txt Location

security.txt should be located at:

  • /.well-known/security.txt (recommended)
  • /security.txt (fallback, must redirect to /.well-known/security.txt)

security.txt Format

Contact: mailto:security@example.gov
Expires: 2025-12-31T23:59:59.000Z
Preferred-Languages: en
Canonical: https://example.gov/.well-known/security.txt
Policy: https://example.gov/security-policy

security.txt Fields

  • Contact: Security contact email (required)
  • Expires: Expiration date (required, maximum 1 year)
  • Preferred-Languages: Preferred languages for reports
  • Canonical: Canonical URL for security.txt
  • Policy: URL to security policy

Why Security Headers are Critical

For government agencies, security headers are fundamental defenses:

1. Prevents Clickjacking

X-Frame-Options prevents attackers from embedding your website in malicious frames, protecting users from clickjacking attacks.

2. Prevents MIME Sniffing Attacks

X-Content-Type-Options prevents browsers from incorrectly interpreting file types, preventing MIME sniffing attacks that could execute malicious code.

3. Prevents Information Leakage

Referrer-Policy controls how much information is leaked through referrer headers, protecting sensitive URLs and user information.

4. Enables Responsible Disclosure

security.txt makes it easy for security researchers to report vulnerabilities responsibly, improving overall security posture.

How to Implement Security Headers

Implementing security headers requires server configuration:

Apache Configuration

Header always set X-Frame-Options "DENY"
Header always set X-Content-Type-Options "nosniff"
Header always set Referrer-Policy "strict-origin-when-cross-origin"

Nginx Configuration

add_header X-Frame-Options "DENY" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;

security.txt File

Create /.well-known/security.txt with your security contact information and ensure it's accessible over HTTPS.

How YesGov Ensures Security Headers are Properly Configured

YesGov handles all aspects of security header implementation for government agencies:

  • Complete Configuration: We configure all required security headers
  • security.txt Setup: We create and configure security.txt files
  • Testing and Validation: We test security headers to ensure they work correctly
  • Ongoing Monitoring: We monitor security header configuration and ensure it remains active
  • Documentation: All security header configuration is documented for compliance and insurance purposes

How YesGov Ensures Complete Security Headers Protection

At YesGov, we don't just check if security headers are configured—we perform comprehensive validation of your entire security headers setup:

  • Complete Configuration: We configure all required security headers (X-Frame-Options, X-Content-Type-Options, Referrer-Policy, etc.)
  • security.txt Setup: We create and configure security.txt files for responsible disclosure
  • Header Validation: We verify headers are properly set and have correct values
  • Testing and Validation: We test security headers to ensure they work correctly
  • Ongoing Monitoring: We continuously monitor security header configuration
  • Documentation: All security header configuration is documented for compliance

When you host with YesGov, security headers are properly configured, continuously monitored, and automatically maintained. We handle header configuration, security.txt setup, and validation testing so you don't have to worry about web vulnerabilities. This is one of our comprehensive security checks that ensures your agency meets and exceeds federal, state, and industry standards.

Get Protected Today Check Your Security Headers

Additional Resources

← TLS-RPT (TLS Reporting) IPv6 Support (DNS + Web Reachability) →

Learning Guides

Compound Risks: When Security Failures Combine

How multiple security failures combine to create worse outcomes. Learn about compound risks in government cybersecurity: email impersonation, DNS hijacking, silent interception, and more.

DNSSEC (Domain Name System Security Extensions)

DNSSEC (DNS Security Extensions): Complete guide to protecting your domain from DNS spoofing, cache poisoning, and man-in-the-middle attacks. Learn how DNSSEC works, why it

SSL/TLS Certificate

SSL/TLS Certificate Guide: Complete guide to encrypting data in transit, protecting against man-in-the-middle attacks, and meeting CISA compliance requirements for government websites.

HTTPS Redirect & HSTS (HTTP Strict Transport Security)

HTTPS Redirect & HSTS: Complete guide to enforcing encrypted connections, preventing downgrade attacks, and meeting CISA requirements for government websites.

TLS Configuration (Versions, Ciphers, Hardening)

TLS Configuration: Complete guide to secure TLS versions, cipher suites, and hardening for government websites.

Certificate Validation & CAA (Certificate Authority Authorization)

Certificate Validation & CAA: Complete guide to SSL/TLS certificate validation, trust chains, and Certificate Authority Authorization (CAA) records.

SPF (Sender Policy Framework)

SPF (Sender Policy Framework): Complete guide to preventing email spoofing, ensuring email deliverability, and meeting CISA compliance requirements for government email security.

DKIM (DomainKeys Identified Mail)

DKIM (DomainKeys Identified Mail): Complete guide to cryptographically signing emails, verifying email authenticity, and preventing phishing attacks for government email security.

DMARC (Domain-based Message Authentication, Reporting & Conformance)

DMARC (Domain-based Message Authentication): Complete guide to enforcing email authentication policies, preventing email spoofing, and meeting CISA compliance requirements.

MTA-STS (Mail Transfer Agent Strict Transport Security)

MTA-STS (Mail Transfer Agent Strict Transport Security): Complete guide to enforcing secure TLS connections for email transmission, preventing man-in-the-middle attacks.

TLS-RPT (TLS Reporting)

TLS-RPT (TLS Reporting): Complete guide to monitoring TLS connection failures for email transmission, identifying misconfigurations, and ensuring email security.

HTTP Security Headers & security.txt

HTTP Security Headers: Complete guide to X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and security.txt for protecting against web vulnerabilities.

IPv6 Support (DNS + Web Reachability)

IPv6 Support: Complete guide to IPv6 DNS and web reachability, ensuring accessibility for IPv6-only networks and future-proofing government infrastructure.

RPKI (Resource Public Key Infrastructure)

RPKI (Resource Public Key Infrastructure): Complete guide to BGP route security, preventing route hijacking, and protecting IP address space.

IP Reputation, RBLs & PTR Records

IP Reputation & RBL Checks: Complete guide to monitoring IP addresses on abuse databases, blacklists, and proper reverse DNS (PTR) configuration.

Website Scanning

Website Scanning: Complete guide to detecting exposed email addresses, broken links, and other website hygiene issues that pose security or compliance risks.

WordPress Detection

WordPress Detection & Security: Complete guide to detecting WordPress versions, identifying security vulnerabilities, and patching basics for government websites.

HSTS (HTTP Strict Transport Security)

HSTS (HTTP Strict Transport Security): Complete guide to forcing HTTPS connections, preventing downgrade attacks, and meeting CISA compliance requirements.