HTTP Security Headers — Protéger le navigateur

Hardening CSP

Headers essentiels

# Forcer HTTPS pour 1 an
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

# Anti-XSS : contrôler le chargement des ressources
Content-Security-Policy: default-src 'self'; script-src 'self' 'nonce-RANDOM'

# Anti-clickjacking
X-Frame-Options: DENY

# Empêcher le MIME sniffing
X-Content-Type-Options: nosniff

# Referer
Referrer-Policy: strict-origin-when-cross-origin

# Permissions navigateur
Permissions-Policy: geolocation=(), microphone=(), camera=()

Tester ses headers

# En ligne
curl -I https://target.com
# securityheaders.com
# Mozilla Observatory : observatory.mozilla.org