# HTTP security headers ## General
HTTP headerEstado
Strict-Transport-SecurityRecomendado
Content-Security-PolicyRecomendado
X-Content-Type-OptionsRecomendado
Content-TypeRecomendado
X-Frame-OptionsOpcional según contexto
Referrer-PolicyOpcional según contexto
Cache-ControlOpcional según contexto
Strict-Transport-Security {% code fullWidth="false" %} ```http Strict-Transport-Security: max-age=31536000; includeSubDomains ``` {% endcode %}
Content-Security-Policy ```http Content-Security-Policy: default-src 'self'; form-action 'self'; object-src 'none'; frame-ancestors 'none'; upgrade-insecure-requests; block-all-mixed-content ```
X-Content-Type-Options ```http X-Content-Type-Options: nosniff ```
Content-Type ```http Content-Type: application/json Content-Type: application/xml ```
X-Frame-Options ```http X-Frame-Options: DENY X-Frame-Options: SAMEORIGIN X-Frame-Options: ALLOW-FROM ```
Referrer-Policy ```http Referrer-Policy: no-referrer ```
Cache-Control ```http Cache-Control: no-store ```
## cURL ```shell curl -I -L --url ``` * -I = headers. * -L = seguir redireccionamientos. * \--url = URL (Uniform Resource Locator). * \ = objetivo. ## Nmap ```shell nmap -p 80,443 --script http-security-headers -oN nmap-http-security-headers.txt ``` * -p = puertos. * \--script http-security-headers = HTTP security headers. * \ = objetivo. ## Nuclei ```sh nuclei -u -t http/misconfiguration/http-missing-security-headers.yaml -ts -silent ``` ## securityheaders * ```shell securityheaders.py ``` ## shcheck * ```shell shcheck.py -i -k ``` ## Mozilla Observatory * ## OWASP Secure Headers Project * ## Security Headers *