OWASP Secure Headers Project

The OWASP Secure Headers Project (also named OSHP) describes HTTP response headers that your application can use to increase the security of your application. Once set, these HTTP response headers can restrict modern browsers from running into easily preventable vulnerabilities. The OWASP Secure Headers Project intends to raise awareness and use of these headers.

Introduction

HTTP headers are well-known and also despised. Seeking a balance between usability and security, developers implement functionality through the headers that can make applications more versatile or secure. But in practice how are the headers being implemented? What sites follow the best implementation practices? Big companies, small, all or none?

Description

We aim to publish reports on header usage stats, developments and changes, code libraries that make these headers easily accessible to developers on a range of platforms, and data sets concerning the general usage of these headers.

🌐 The OWASP Secure Headers Project was migrated to a new OWASP website.

📁 You can still access the old website here.

Issue and discussions

Both are handled with this dedicated project:

• Issues.
• Discussions.

Content editor

Content editing is done with Visual Studio Code.

A workspace file is provided with recommended extensions.

Generated content

The folder ci contains materials to generate the both JSON files containing the header recommended to add and remove.

Generation is performed by this GitHub action workflow everytime the file tab_bestpractices.md is modified.

Contributors

• Adam Averay
• Jim Manico

Licensing

OWASP Secure Headers Project is free to use. It is licensed under the Apache 2.0 License.