HTTP Security Headers — Protéger le navigateur
★★★★★
Headers essentiels
# Forcer HTTPS pour 1 an
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
# Anti-XSS : contrôler le chargement des ressources
Content-Security-Policy: default-src 'self'; script-src 'self' 'nonce-RANDOM'
# Anti-clickjacking
X-Frame-Options: DENY
# Empêcher le MIME sniffing
X-Content-Type-Options: nosniff
# Referer
Referrer-Policy: strict-origin-when-cross-origin
# Permissions navigateur
Permissions-Policy: geolocation=(), microphone=(), camera=() Tester ses headers
# En ligne
curl -I https://target.com
# securityheaders.com
# Mozilla Observatory : observatory.mozilla.org