Skip to content

Security Headers

Test Case for common security headers (X-XSS-Protection, X-Frame-Options, X-Content-Type-Options).


  • HTTP GET or HEAD request on any URL.


In this template the HTTP Status returned is expected to be 200 (OK) and the following security headers are tested:

  • X-XSS-Protection tested for value '1; mode=block': this configuration blocks reflected cross-site scripting (XSS) attacks in some browsers
  • X-Frame-Options tested for value 'DENY': this configuration blocks a browser from embedding a page in a frame, mainly to prevent clickjacking attacks.
  • X-Content-Type-Options tested for value 'nosniff': this configuration tells the browser not to guess the content types of resources.

More information