Clickjacking and framing controls
Use CSP frame-ancestors as your primary control for modern browsers. Keep X-Frame-Options set to DENY or SAMEORIGIN for legacy compatibility.
Example header
X-Frame-Options: SAMEORIGIN
Security headers checklist for production websites
A practical checklist for X-Frame-Options, Referrer-Policy, X-Content-Type-Options, Permissions-Policy, COOP, and CORP.
10 min read • Engineering managers, full-stack teams
Content type, referrers, and browser features
Set X-Content-Type-Options to nosniff to prevent MIME confusion attacks. Use Referrer-Policy strict-origin-when-cross-origin for balanced privacy and analytics.
Set a Permissions-Policy to explicitly deny browser features you do not use (camera, microphone, geolocation, usb).
Implementation checklist
- X-Content-Type-Options: nosniff
- Referrer-Policy: strict-origin-when-cross-origin
- Permissions-Policy with least privilege defaults
Cross-origin isolation headers
COOP and CORP improve process isolation and reduce abuse of cross-origin windows/resources. They are especially important for high-sensitivity dashboards and admin panels.
Implementation checklist
- Cross-Origin-Opener-Policy: same-origin
- Cross-Origin-Resource-Policy: same-site (or same-origin where possible)
- Test third-party integrations after enabling
Operational workflow for teams
Run an automated header scan in CI/CD and after each edge/proxy change. Treat header regressions as release blockers for internet-facing services.
Use one shared checklist across engineering and security so ownership is clear and remediation is fast.