Ensure Web Security Through Response Headers
Web servers use security headers to protect web applications from attacks.
Plain language
Web security response headers are like safety instructions your web server gives out to help protect your website from attacks. If these instructions aren't given, your website might be more vulnerable to hackers who could steal data or damage your online presence.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for software developmentSection
Web application developmentOfficial control statement
Content-Security-Policy, Hypertext Transfer Protocol Strict Transport Security and X-Frame-Options are specified by web server software via security policy in response headers.
Why it matters
If CSP, HSTS and X-Frame-Options headers are missing, users are more exposed to XSS, clickjacking and HTTPS downgrade/MITM attacks.
Operational notes
Audit response headers (CSP, HSTS, X-Frame-Options) in CI/CD and via scanning; alert on header absence or unexpected changes after deployments.
Implementation tips
- IT team should configure the web server to add essential security headers. Use security policy settings to include Content-Security-Policy, which limits which resources a site can load, ensuring they're safe.
- Web developers should collaborate with IT to set up Hypertext Transfer Protocol Strict Transport Security (HSTS) headers. This ensures that all communication with your site happens using a secure connection.
- System administrators need to implement X-Frame-Options headers on the web server. This stops your website from being displayed in a frame on other sites, which can prevent clickjacking attacks.
- IT security personnel should regularly review and update security policies. Conduct tests on the server's response headers to verify they are active and correctly configured.
- Management should support regular training for the IT team on the latest web security best practices. Encourage participation in relevant Australian Cyber Security Centre (ACSC) webinars and workshops.
Audit / evidence tips
- AskThe server configuration files: Request access to the files that define the web server's settings GoodConfiguration should list these headers clearly and accurately
- AskSecurity audit reports: Request recent reports covering web server security checks GoodWill show findings that the headers are properly configured and include notes on any improvements made
- AskCopies of the organisation's web security policies
- AskRecords of web server testing: Request logs from recent testing of web server security measures GoodWill note successful tests of all header configurations
- AskEvidence of IT staff training: Request documentation of recent training sessions on web security GoodSession should include up-to-date practices on implementing and managing response headers
Cross-framework mappings
How ISM-1424 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.26 | ISM-1424 requires web server software to implement specific web security response headers (e.g | |
| handshake Supports (1) expand_less | ||
| Annex A 8.8 | ISM-1424 requires web servers to be configured to emit protective response headers that reduce client-side attack surface and enforce sec... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.