README
no-html-only-headers
)
Unneeded HTTP headers (no-html-only-headers
warns against responding with HTTP headers that
are not needed for non-HTML (or non-XML) resources.
Why is this important?
Some HTTP headers do not make sense to be sent for non-HTML resources, as sending them does not provide any value to users and contributes to header bloat.
What does the hint check?
The hint checks if non-HTML responses include any of the following HTTP headers:
Content-Security-Policy
X-Content-Security-Policy
X-UA-Compatible
X-WebKit-CSP
X-XSS-Protection
In case of a JavaScript file, Content-Security-Policy
and
X-Content-Security-Policy
will be ignored since CSP is
also relevant to workers.
Examples that trigger the hint
Response for /test.js
:
HTTP/... 200 OK
Content-Type: text/javascript; charset=utf-8
...
X-UA-Compatible: IE=Edge,
X-WebKit-CSP: default-src 'none'
X-XSS-Protection: 1; mode=block
...
Response for /test.html
:
HTTP/... 200 OK
Content-Type: x/y
...
Content-Security-Policy: default-src 'none'
X-Content-Security-Policy: default-src 'none'
X-UA-Compatible: IE=Edge,
X-WebKit-CSP: default-src 'none'
X-XSS-Protection: 1; mode=block
...
Examples that pass the hint
Response for /test.js
:
HTTP/... 200 OK
Content-Type: text/javascript; charset=utf-8
Content-Security-Policy: default-src 'none'
X-Content-Security-Policy: default-src 'none'
...
Response for /test.html
:
HTTP/... 200 OK
Content-Type: text/html
...
Content-Security-Policy: default-src 'none'
X-Content-Security-Policy: default-src 'none'
X-UA-Compatible: IE=Edge,
X-WebKit-CSP: default-src 'none'
X-XSS-Protection: 1; mode=block
...
Response for /test.xml
:
HTTP/... 200 OK
Content-Type: application/xhtml+xml
...
Content-Security-Policy: default-src 'none'
X-Content-Security-Policy: default-src 'none'
X-UA-Compatible: IE=Edge,
X-WebKit-CSP: default-src 'none'
X-XSS-Protection: 1; mode=block
...
How to configure the server to pass this hint
How to configure Apache
Apache can be configured to remove headers using the Header
directive.
To remove the headers that are not needed for non-HTML resources, you can do something such as the following:
<IfModule mod_headers.c>
# Because `mod_headers` cannot match based on the content-type,
# the following workaround needs to be used.
<FilesMatch "\.(appcache|atom|bbaw|bmp|crx|css|cur|eot|f4[abpv]|flv|geojson|gif|htc|ic[os]|jpe?g|m?js|json(ld)?|m4[av]|manifest|map|markdown|md|mp4|oex|og[agv]|opus|otf|pdf|png|rdf|rss|safariextz|svgz?|swf|topojson|tt[cf]|txt|vcard|vcf|vtt|webapp|web[mp]|webmanifest|woff2?|xloc|xpi)