Topic

Web security policy response headers

Applicable to

Non Classified, Official, Protected, Secret, Top Secret

History

Priority

should

Mar 2025

Content-Security-Policy, HSTS and X-Frame-Options are specified by web server software via security policy in response headers.

The existing control recommending that web applications implement Content-Security-Policy, HSTS and X-Frame-Options via security policy in response headers was amended to refer to web server software instead.

Mar 2022

Web applications implement Content-Security-Policy, HSTS and X-Frame-Options via security policy in response headers.

Miscellaneous changes were made to rationale and recommendations throughout the publication to clarify content without changing intent. This included a review from the Guidelines for System Hardening chapter through to the Guidelines for Data Transfers chapter.

Oct 2019

Web applications implement Content-Security-Policy, HSTS and X-Frame-Options response headers.

Security control 1424 was modified to state the response header types to implement for web applications.

Sep 2019

Web browser-based security controls are implemented for web applications in order to help protect both web applications and their users.

2017

Web browser-based security controls should be implemented for web applications in order tohelp protect the web application and its users.

Control Text Changed. No public explaination.

2015

Agencies should implement browser-based security controls for web applications in order tohelp protect the web application and its usersOpen Web Application Security ProjectThe Open Web Application Security Project provides a comprehensive resource to consultwhen developing web applications.