Зачем нужны эти заголовки безопасности?

Question

[airbor]

В админ-панели WordPress:



Your website does not send all recommended security headers.

Upgrade Insecure Requests
X-XSS protection
X-Content Type Options
Referrer-Policy
X-Frame-Options
Permissions-Policy
HTTP Strict Transport Security

Насколько в этом реально есть смысл, на что влияет?

Comments

[airbor]

Mark Fish, поисковой оптимизацией. На позиции в результатах поиска не влияют.

Answer 1

[Александр Фалалеев]

Всё отлично гуглится - смысла это делать за Вас нет никакого.

Единственно - X-XSS protection уже не нужно ибо:

а) устарело и основным современным браузерам ненужно
б) теоретически (крайнемаловероятно в пределах погрешности) может быть вредно пользователям браузера Сафари.

If configuration requests blocking when XSS attacks are detected, which is potentially dangerous as it allows attackers to selectively disable portions of of JavaScript code. The only safe approach is to explicitly disable browser-based XSS protection.
Some browsers ship with so-called XSS Auditors, built-in defenses against XSS. Although these defenses work against simple reflective XSS attacks, they can be abused by skillful attackers to add weaknesses to otherwise secure web sites. These dangers are present in both filtering and blocking modes. At this time, the Safari browser ships with its XSS defenses enabled by default. For this reason, the best approach is to explicitly disable this functionality.