The Challenge:

HTTP security headers instruct browsers on how to behave when users interact with your site. They are a wonderful tool that helps you secure your users against common attacks like man-in-the-middle (MITM) attacks, Cross-Site Request Forgeries (CSRF), and more.

HTTP security headers include: Strict Transport Security, Content-Security-Policy, X-XSS-Protection, X-Frame-Options, Referrer-Policy, X-Content-Type-Options, and Feature-Policy. They all have their individual functionalities and use cases, and you can learn more about them here on Mozilla’s website:

So, here comes this month’s challenge: which of the following statements are false about HTTP security headers? Hint: there can be more than one misleading statement!

A) The Strict-Transport-Security header forces the browser to communicate with HTTPS instead of HTTP. It helps prevent man-in-the-middle and session hijacking attacks.

B) The Content-Security-Policy header controls which resource the browser is allowed to load for the page. This prevents some cross-site scripting attacks.

C) X-XSS-Protection turns on the XSS auditor of the browser and protects against XSS attacks. The best practice for the X-XSS-Protection header is “X-XSS-Protection: 1; report=REPORT_URI”.

D) The X-Frame-Options header prevents clickjacking attacks. It should be set on all pages that contain sensitive state-changing actions.

E) The Referrer-Policy header helps prevent information leakages offsite via referer URLs. In addition to setting the correct Referrer-Policy header, you should also avoid transporting sensitive information in URLs if possible.

F) X-Content-Type-Options turns on MIME-sniffing on the browser. MIME-sniffing is when browsers try to determine the file type of the document by examining its content.

G) The Feature-Policy header lets you enable and disable browser features. For example, you can control whether the current page and its iframes has access to the user’s camera, microphone, and speaker. This allows you to build sites that protect users’ privacy and security.

Which of these statements are incorrect? Submit your answer in the form above!



  • Submit your full name, email address, organization, along with your answer in the form above by May 31, 2021, 11:59 PM PT.
  • Three correct submissions will be selected randomly to win a SnackMagic snack box. We will announce the winners by June 30, 2021.
  • We will run developer challenges every month. At the end of the year, all developers who participate will be entered into a raffle for a special prize based on the number of challenges they participated in. (Each challenge submission gets one raffle ticket.)


Interested in learning how you can secure your code? Check out our free training courses.