What are HTTP Security Response Headers?

Before we explain what HTTP Security Response Headers are, you need to know the following:

What is HTTP?

HTTP stands for "Hypertext Transfer Protocol". It's the underlying protocol used by the World Wide Web to define how messages are formatted and transmitted. 

What is HTTP Header?

HTTP Header is a record sent by clients and servers communicating with each other via the HTTP protocol. Headers are name/value pairs that appear in both request and response messages.

What is HTTP Request Header?

HTTP Request Header is the information that a browser sends to a web server containing details of what the browser will accept back from the server. After receiving and interpreting a request information, a server responds with a message - HTTP Response Header.

What is HTTP Response Header?

HTTP Response Header is the information sent out by your website when a visitor makes a request to load a page from your site. This information is used to direct how the browser will interpret, store, cache and use the forthcoming content. In other words, those are directives about the page that is about to load. Some of things covered in here are:

  • The time/date of the response
  • The protocol used
  • The (error) code
  • Content caching directives
  • The server handling the response
  • Cookies for the client/browser

What is HTTP Security Header?

HTTP Security Header is normal HTTP Header with the purpose on security and we call it "Security Header". 

What are HTTP Security Response Headers?

HTTP Security Response Headers are headers included in the web server's response to a browser - instructing the browser to enable (or disable) certain security features.

To dig into these particular HTTP Security Headers a little more, you can read a further summary on this over at ScottHelme here.

To understand the technical aspects of HTTP Headers better please see this explanation article.

How to use Shield to secure your site with HTTP Security Response Headers

To secure your site with these headers, you can use Shield's HTTP Headers module.

With this module, you can set: