Enterprise Solution: Adding and Setting Up Security Headers

Enables web developers to control which web platform features are available to a web page, enhancing security and privacy by limiting access to sensitive APIs. Learn more about Permissions-Policy headers. 

Determines if a webpage can be displayed within a frame, preventing clickjacking attacks by restricting framing. Learn more about X-Frame-Options.

Specifies how much information should be included in the HTTP referrer header when navigating from one page to another, enhancing user privacy and reducing data leakage. Learn more about Referrer-Policy headers. 

Forces secure HTTPS connections, protecting against man-in-the-middle attacks by ensuring all communication between browser and server occurs over HTTPS. Learn more about Strict-Transport-Security (HSTS) headers. 

Controls which resources a web page is allowed to load, mitigating risks such as cross-site scripting (XSS) attacks and data injection. Learn more about Content-Security-Policy (CSP) headers.

Note: This security header is supported by default on all Wix sites.

Tells the browser to use the Multipurpose Internet Mail Extensions (MIME) content type. This is a way of identifying the format of a file or document specified by the server, and not to change it. This helps prevent MIME type sniffing, ensuring the content type is used exactly as intended. Learn more about X-Content-Type-Options.

The Permissions-Policy header enables your organization's web developers to specify which website functionalities are permitted or restricted. You can define a set of policies that control access to APIs and browser behaviors. This ensures your site adheres to best practices and facilitates safer integration of third-party content.

Note: The Content-Security-Policy HTTP header has a frame-ancestors directive, which renders this header obsolete for supporting browsers.

The X-Frame-Options HTTP response header determines whether a browser can display a page within a frame, iframe, embed, or object, serving as a defense against clickjacking attacks, though it's effective only when the user's browser supports X-Frame-Options.

The Referrer-Policy HTTP header dictates the level of referrer information sent with requests via the Referrer header, and this policy can also be specified in HTML. 

The HTTP Strict-Transport-Security (HSTS) response header instructs browsers to access the site exclusively through HTTPS, automatically converting any HTTP attempts to HTTPS.

Content Security Policy (CSP) provides extra protection by identifying and preventing specific types of attacks, such as Cross-Site Scripting (XSS) and data injection. These attacks can lead to various harmful actions, from stealing data to distributing malware or defacing websites.

Enter all relevant directives and their corresponding values in the Directives field.