Ensure Web Security Through Response Headers
Web servers use security headers to protect web applications from attacks.
🏛️ Framework
ASD Information Security Manual (ISM)
🧭 Control effect
Preventative
🔐 Classifications
NC, OS, P, S, TS
🗓️ ISM last updated
Feb 2025
✏️ Control Stack last updated
22 Feb 2026
🎯 E8 maturity levels
N/A
Guideline
Guidelines for software developmentSection
Web application developmentContent-Security-Policy, Hypertext Transfer Protocol Strict Transport Security and X-Frame-Options are specified by web server software via security policy in response headers.
Source: ASD Information Security Manual (ISM)
Plain language
Web security response headers are like safety instructions your web server gives out to help protect your website from attacks. If these instructions aren't given, your website might be more vulnerable to hackers who could steal data or damage your online presence.
Why it matters
If CSP, HSTS and X-Frame-Options headers are missing, users are more exposed to XSS, clickjacking and HTTPS downgrade/MITM attacks.
Operational notes
Audit response headers (CSP, HSTS, X-Frame-Options) in CI/CD and via scanning; alert on header absence or unexpected changes after deployments.
Implementation tips
- IT team should configure the web server to add essential security headers. Use security policy settings to include Content-Security-Policy, which limits which resources a site can load, ensuring they're safe.
- Web developers should collaborate with IT to set up Hypertext Transfer Protocol Strict Transport Security (HSTS) headers. This ensures that all communication with your site happens using a secure connection.
- System administrators need to implement X-Frame-Options headers on the web server. This stops your website from being displayed in a frame on other sites, which can prevent clickjacking attacks.
- IT security personnel should regularly review and update security policies. Conduct tests on the server's response headers to verify they are active and correctly configured.
- Management should support regular training for the IT team on the latest web security best practices. Encourage participation in relevant Australian Cyber Security Centre (ACSC) webinars and workshops.
Audit / evidence tips
-
Ask: the server configuration files: Request access to the files that define the web server's settings
Good: configuration should list these headers clearly and accurately
-
Ask: security audit reports: Request recent reports covering web server security checks
Good: will show findings that the headers are properly configured and include notes on any improvements made
-
Ask: copies of the organisation's web security policies
-
Ask: records of web server testing: Request logs from recent testing of web server security measures
Good: will note successful tests of all header configurations
-
Ask: evidence of IT staff training: Request documentation of recent training sessions on web security
Good: session should include up-to-date practices on implementing and managing response headers
Cross-framework mappings
How ISM-1424 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially meets (1) | ||
| Annex A 8.26 | ISM-1424 requires web server software to implement specific web security response headers (e.g | |
| Supports (1) | ||
| Annex A 8.8 | ISM-1424 requires web servers to be configured to emit protective response headers that reduce client-side attack surface and enforce sec... | |