Welcome to the Veggiespam’s Secure HTTP Headers page where I provide my whitepapers showing how to secure the headers on your website. The content here is updated as technology, standards, and best practices change over time.
This effort started when I wrote a detailed paper on how to Remove Insecure HTTP Headers by re-configuring many different server technologies in order to share with my clients. Over time, I could see many other companies referencing the webpage from their internal bug ticketing systems and various open source projects posted links in issues on GitHub or other communal sites. So a few years after, I finally finished the companion paper, Useful HTTP Security Headers, where I discussed how to add all of the necessary headers all in one comprehensive document.
- Remove Insecure HTTP Headers, aka Bad headers and how to remove them
- Useful HTTP Security Headers, aka Good headers and how to enable them
If you came to /headers expecting the Header Removal page, it has migrated to /bad-headers and this /headers URI now shows all of the HTTP Header related topics, including the new /good-headers page. Feel free to explore.
I welcome feedback via DM on Twitter @veggiespam or via email.