Web server security – many web servers still set legacy HTTP response headers since old guides recommend to set these headers.

We added a new section to part 3 of our Web server security series that describes these headers in detail:


Don't blindly set X-Frame-Options, X-Xss-Protection, or HPKP. You likely don't need to set them.

Regarding your recommendation to skip legacy headers, is there any downside to sending these headers aside from just sending extra bytes?

My worry is that some 'strange' browsers — the ones included in smart TVs and ereaders and other edge cases — have bolted on support for TLS 1.2 but have less modern behaviour in other aspects of how they render a page.


There shouldn't be any downsides.

The biggest problem is the false sense of security: Server admins set these headers because there are mentioned by some old guides on the internet while every modern web browser ignores these headers.

Sign in to participate in the conversation

mastodon.at is a microblogging site that federates with most instances on the Fediverse. Note: This instance will shut down on February 29th, 2020.