Strict-Transport-Security
Forces browsers to use HTTPS for future requests, preventing protocol-downgrade and cookie-hijacking attacks over insecure connections.
max-age=63072000; includeSubDomains; preloadTemel HTTP güvenlik başlıklarına göz atın, önerilen değerlerini kopyalayın ve NGINX, Apache veya Node için yapıştırmaya hazır bir yapılandırma parçacığı oluşturun.
Forces browsers to use HTTPS for future requests, preventing protocol-downgrade and cookie-hijacking attacks over insecure connections.
max-age=63072000; includeSubDomains; preloadWhitelists the sources a page may load scripts, styles, frames and other resources from, the primary defense against cross-site scripting (XSS) and data injection.
default-src 'self'; object-src 'none'; frame-ancestors 'none'; base-uri 'self'Blocks the page from being embedded in a frame or iframe, defending against clickjacking. Superseded by CSP frame-ancestors but still respected by older browsers.
DENYStops browsers from MIME-sniffing a response away from its declared Content-Type, preventing scripts from being executed from non-script responses.
nosniffControls how much of the originating URL is sent in the Referer header, limiting leakage of sensitive paths and query strings to other origins.
strict-origin-when-cross-originSelectively enables or disables powerful browser features (camera, microphone, geolocation, etc.) for the page and any embedded frames.
geolocation=(), camera=(), microphone=()Isolates the page's browsing context from cross-origin windows, mitigating cross-window attacks and enabling features that require cross-origin isolation.
same-originRequires that cross-origin resources explicitly grant permission to be embedded, a prerequisite (with COOP) for cross-origin isolation and high-resolution timers.
require-corpLimits which origins may embed this resource, blocking side-channel attacks such as Spectre that read cross-origin responses.
same-originToggled the legacy XSS auditor built into older browsers. Modern browsers have removed it and it can introduce vulnerabilities, so it should be disabled.
0add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
add_header Content-Security-Policy "default-src 'self'; object-src 'none'; frame-ancestors 'none'; base-uri 'self'" always;
add_header X-Frame-Options "DENY" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;Güvenlik başlıkları, tarayıcıya HTTPS'yi zorunlu kılma, çerçeveye almayı engelleme, kaynak kökenlerini kısıtlama ve yönlendiren (referrer) sızıntısını sınırlama gibi ek korumalar uygulamasını söyleyen yanıt başlıklarıdır. Bunları sunucunuzda veya CDN kenarında uygulayın ve sonucu bir tarayıcıyla doğrulayın. Buradaki önerilen değerler makul varsayılanlardır; dağıtımdan önce Content-Security-Policy ve Permissions-Policy değerlerini uygulamanızın gerçek ihtiyaçlarına göre ayarlayın.