Document Version: 1.0
Last Updated: January 7, 2026
Status: Ready for Implementation
This document provides recommended security header configurations for the Interact platform. Security headers are HTTP response headers that instruct browsers on how to behave when handling the site's content, providing an additional layer of defense against common web vulnerabilities.
Implementation Note: These headers should be configured at the infrastructure level (Base44 SDK, CDN, or web server) rather than in the application code.
Purpose: Prevents Cross-Site Scripting (XSS) and other code injection attacks by controlling which resources can be loaded.
Recommended Configuration:
Content-Security-Policy:
default-src 'self';
script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.base44.io https://unpkg.com;
style-src 'self' 'unsafe-inline' https://fonts.googleapis.com;
font-src 'self' https://fonts.gstatic.com data:;
img-src 'self' data: https: blob:;
media-src 'self' https:;
object-src 'none';
frame-src 'none';
frame-ancestors 'none';
base-uri 'self';
form-action 'self';
connect-src 'self' https://api.base44.io https://api.openai.com https://api.anthropic.com https://generativelanguage.googleapis.com wss://api.base44.io;
upgrade-insecure-requests;
block-all-mixed-content;Breakdown:
default-src 'self': Only load resources from same origin by defaultscript-src: Allow scripts from self and trusted CDNs'unsafe-inline': Required for React inline event handlers (consider removing in future)'unsafe-eval': Required for some dependencies (evaluate if removable)
style-src: Allow styles from self and Google Fontsfont-src: Allow fonts from self, Google Fonts, and data URIsimg-src: Allow images from any HTTPS source (for user uploads, external images)connect-src: Allow API connections to Base44 and AI servicesframe-ancestors 'none': Prevent clickjackingupgrade-insecure-requests: Automatically upgrade HTTP to HTTPS
Report-Only Mode (for testing):
Content-Security-Policy-Report-Only: [same directives]; report-uri https://your-reporting-endpoint.com/csp-reportAction Items:
- Test CSP in report-only mode
- Review CSP violations in browser console
- Adjust directives as needed
- Enable enforcement mode
- Setup CSP violation reporting endpoint
Purpose: Prevents MIME type sniffing, which can lead to security vulnerabilities.
X-Content-Type-Options: nosniffImpact: Forces browsers to respect the Content-Type header, preventing execution of scripts disguised as other file types.
Implementation: Apply to all responses.
Purpose: Prevents clickjacking attacks by controlling whether the site can be embedded in iframes.
X-Frame-Options: DENYAlternatives:
DENY: Cannot be framed at all (recommended)SAMEORIGIN: Can only be framed by same origin- Consider using CSP
frame-ancestorsinstead (more flexible)
Implementation: Apply to all HTML responses.
Purpose: Forces browsers to only connect via HTTPS, preventing protocol downgrade attacks.
Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadBreakdown:
max-age=31536000: Enforce HTTPS for 1 year (365 days)includeSubDomains: Apply to all subdomainspreload: Eligible for browser HSTS preload list
Caution:
- Only enable after confirming HTTPS is working on all subdomains
preloadrequires submission to https://hstspreload.org/- Very difficult to undo once preloaded
Implementation: Apply to all HTTPS responses.
Purpose: Controls how much referrer information is sent with requests.
Referrer-Policy: strict-origin-when-cross-originOptions:
no-referrer: Never send referrerno-referrer-when-downgrade: Don't send on HTTPS → HTTPorigin: Only send origin, not full URLstrict-origin: Send origin only on same-protocolstrict-origin-when-cross-origin: Full URL for same-origin, origin only for cross-origin (recommended)
Implementation: Apply to all responses.
Purpose: Controls which browser features and APIs can be used (formerly Feature-Policy).
Permissions-Policy: geolocation=(), microphone=(), camera=(), payment=(), usb=(), magnetometer=(), gyroscope=(), accelerometer=()Breakdown:
(): Disables feature for all origins(self): Enables for same origin only(self "https://example.com"): Enables for specific origins
Customize based on needs:
Permissions-Policy:
geolocation=(self),
microphone=(),
camera=(self "https://meet.krosebrook.com"),
payment=(),
usb=(),
interest-cohort=()Implementation: Apply to all HTML responses.
Purpose: Enables browser XSS filtering (legacy header, CSP is preferred).
X-XSS-Protection: 1; mode=blockStatus: Deprecated in modern browsers, but still used by older browsers.
Options:
0: Disables filter1: Enables filter1; mode=block: Enables filter and blocks page if attack detected
Note: Modern CSP replaces this. Include for legacy browser support only.
Purpose: Prevents a document from loading cross-origin resources that don't grant permission.
Cross-Origin-Embedder-Policy: require-corpStatus: Optional, may break some integrations. Test thoroughly.
Purpose: Allows you to ensure a top-level document does not share a browsing context group with cross-origin documents.
Cross-Origin-Opener-Policy: same-originStatus: Optional, evaluate if needed for isolation.
Purpose: Controls who can load the resource.
Cross-Origin-Resource-Policy: same-originOptions:
same-origin: Only same origin can loadsame-site: Same site can loadcross-origin: Anyone can load
Apply selectively: Use cross-origin for public assets, same-origin for sensitive resources.
If Base44 supports custom headers:
// In Base44 configuration
export default {
headers: {
'X-Content-Type-Options': 'nosniff',
'X-Frame-Options': 'DENY',
'Referrer-Policy': 'strict-origin-when-cross-origin',
'Permissions-Policy': 'geolocation=(), microphone=(), camera=()',
'Strict-Transport-Security': 'max-age=31536000; includeSubDomains',
'Content-Security-Policy': '[CSP directives]'
}
}Action: Consult Base44 documentation or support.
Cloudflare Workers example:
addEventListener('fetch', event => {
event.respondWith(handleRequest(event.request))
})
async function handleRequest(request) {
const response = await fetch(request)
const newHeaders = new Headers(response.headers)
// Add security headers
newHeaders.set('X-Content-Type-Options', 'nosniff')
newHeaders.set('X-Frame-Options', 'DENY')
newHeaders.set('Referrer-Policy', 'strict-origin-when-cross-origin')
newHeaders.set('Permissions-Policy', 'geolocation=(), microphone=(), camera=()')
newHeaders.set('Strict-Transport-Security', 'max-age=31536000; includeSubDomains')
newHeaders.set('Content-Security-Policy', '[CSP directives]')
return new Response(response.body, {
status: response.status,
statusText: response.statusText,
headers: newHeaders
})
}Note: This only affects local preview, not production.
// vite.config.js
export default defineConfig({
preview: {
headers: {
'X-Content-Type-Options': 'nosniff',
'X-Frame-Options': 'DENY',
'Referrer-Policy': 'strict-origin-when-cross-origin'
}
}
})Some headers can be set via meta tags (not recommended):
<!-- In index.html - Limited effectiveness -->
<meta http-equiv="Content-Security-Policy" content="[CSP directives]">
<meta http-equiv="X-Content-Type-Options" content="nosniff">Note: HTTP headers are more reliable than meta tags. Use HTTP headers when possible.
-
SecurityHeaders.com
- URL: https://securityheaders.com/
- Grades your headers A-F
- Provides recommendations
-
Mozilla Observatory
- URL: https://observatory.mozilla.org/
- Comprehensive security scan
- Includes headers, TLS, and more
-
OWASP Secure Headers Project
- URL: https://owasp.org/www-project-secure-headers/
- Header documentation and testing
Chrome/Edge:
- Open DevTools (F12)
- Go to Network tab
- Click any request
- View "Headers" section
- Check "Response Headers"
Firefox:
- Open DevTools (F12)
- Go to Network tab
- Click any request
- View "Response Headers"
Using curl:
curl -I https://your-domain.com
# Check specific header
curl -I https://your-domain.com | grep -i "content-security-policy"Using Node.js:
const https = require('https');
https.get('https://your-domain.com', (res) => {
console.log('Security Headers:');
console.log('CSP:', res.headers['content-security-policy']);
console.log('X-Frame-Options:', res.headers['x-frame-options']);
console.log('HSTS:', res.headers['strict-transport-security']);
});Option 1: Use a service
- Report URI: https://report-uri.com/
- Sentry: Built-in CSP reporting
- Custom endpoint
Option 2: Self-hosted
// Example endpoint to receive CSP reports
app.post('/csp-report', (req, res) => {
console.log('CSP Violation:', req.body);
// Store in database or send to logging service
res.status(204).send();
});CSP with reporting:
Content-Security-Policy: [directives]; report-uri https://your-domain.com/csp-reportModern alternative (report-to):
Report-To: {"group":"csp-endpoint","max_age":10886400,"endpoints":[{"url":"https://your-domain.com/csp-report"}]}
Content-Security-Policy: [directives]; report-to csp-endpoint- Review current headers (none currently)
- Test headers in staging environment
- Identify compatibility issues
- Document required changes
- Deploy CSP in report-only mode
- Monitor violation reports
- Adjust directives as needed
- Test on multiple browsers
- Enable all headers in production
- Monitor for issues
- Quick rollback plan ready
- User communication if needed
- Remove
unsafe-inlineandunsafe-evalif possible - Implement nonces or hashes for inline scripts
- Regular security header audits
- Update as standards evolve
Problem: React uses inline event handlers, CSP blocks them.
Solution:
- Use
'unsafe-inline'temporarily - Implement nonce-based CSP (advanced)
- Refactor to addEventListener instead of inline handlers
Problem: External images/scripts blocked by CSP.
Solution:
- Add specific domains to CSP whitelist
- Use img-src with wildcard carefully:
img-src 'self' https: data: - Review which external resources are truly necessary
Problem: Some subdomains don't have HTTPS, HSTS breaks them.
Solution:
- Enable HTTPS on all subdomains before enabling HSTS
- Use
includeSubDomainsonly when ready - Don't use
preloaduntil confirmed working everywhere
Problem: Need to embed in partner sites, X-Frame-Options blocks.
Solution:
- Use CSP
frame-ancestorsinstead (allows specific origins) - Set to
SAMEORIGINif only need same-site embeds - Create specific pages that allow framing
OWASP Top 10:
- A03:2021 – Injection (CSP helps prevent XSS)
- A05:2021 – Security Misconfiguration (headers are part of secure config)
PCI DSS:
- Requirement 6.5.7: XSS protection
- Security headers contribute to compliance
GDPR:
- Security headers are part of "appropriate technical measures"
Documentation:
- MDN Web Docs: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers
- OWASP Secure Headers: https://owasp.org/www-project-secure-headers/
- CSP Reference: https://content-security-policy.com/
Tools:
- Security Headers: https://securityheaders.com/
- CSP Evaluator: https://csp-evaluator.withgoogle.com/
- Mozilla Observatory: https://observatory.mozilla.org/
Generators:
- CSP Builder: https://report-uri.com/home/generate
- Header Generator: https://www.permissionspolicy.com/
Implementation Checklist:
- Review Base44 SDK header capabilities
- Configure CSP in report-only mode
- Test headers in staging environment
- Monitor CSP violation reports
- Adjust CSP directives based on reports
- Enable enforcement mode for CSP
- Add all recommended headers
- Test on multiple browsers
- Verify with securityheaders.com
- Document in deployment process
- Setup monitoring for header presence
- Regular audits (quarterly)
Document Owner: Engineering Lead
Review Frequency: Quarterly or when standards change
Next Review: April 7, 2026
Approval:
- Engineering Lead
- Security Team
- DevOps Team
Version History:
- 2026-01-07: v1.0 - Initial documentation