Browser Security Headers

WARNING: These headers can change browser behavior for framing, referrer sharing, transport handling, and API access. Review dependencies before enabling them, especially if the site is embedded elsewhere, depends on browser features, or is still stabilizing HTTPS.

Description of the control

Use this section to enable common browser security headers and define the values that should be sent with responses. The grouped controls cover MIME sniffing protection, frame embedding restrictions, referrer handling, browser feature access, and HSTS enforcement.

Procedure

1. Open Posture Management.
2. Select Transport & Browser Security.
3. In the Browser Security Headers card, configure the required headers.
4. For X-Content-Type-Options, enable Send X-Content-Type-Options header and keep or update the value in cmsspm_opt_header_x_content_type_options. The default shown is nosniff.
5. For X-Frame-Options, enable Send X-Frame-Options header and choose the required value, such as SAMEORIGIN or DENY.
6. For Referrer-Policy, enable Send Referrer-Policy header and choose the policy value that matches the site’s sharing requirements. The balanced default shown is strict-origin-when-cross-origin.
7. For Permissions-Policy, enable Send Permissions-Policy header and edit the header value if needed, for example geolocation=(), microphone=(), camera=().
8. For Strict-Transport-Security (HSTS), enable Send Strict-Transport-Security header only after HTTPS is stable, then keep or update the configured value, such as max-age=31536000; includeSubDomains; preload.
9. Select Save Transport & Browser Settings.

Validation

After saving, load the site in a browser and confirm the intended headers are present on responses. Also test any workflows that depend on framing, referrer data, browser APIs, or HTTPS handling to confirm the chosen values do not disrupt expected behavior.