Skip to main content
Documentation

HTTP Security Headers

HTTP security headers instruct browsers on how to handle content and enforce security policies, reducing the risk of common web vulnerabilities like cross-site scripting and clickjacking.

Files.com sets the headers described on this page across all responses. We undergo regular vulnerability scans as part of our SOC 2 Audit process and continuously review our security settings.

Content-Security-Policy

A Content Security Policy (CSP) tells the browser which resources are allowed to load and execute, limiting the surface for cross-site scripting and related attacks.

Files.com serves a Content Security Policy based on CSP Version 3.

Inclusion of unsafe-inline

CSP Version 3 uses Nonce-based security, the strongest protection available in a Content Security Policy. To preserve compatibility with older browsers, CSP Version 3 also allows the unsafe-inline directive. When unsafe-inline appears alongside a Nonce, modern browsers ignore it and rely on the Nonce; the directive only takes effect on older browsers that don't support Nonces.

The presence of unsafe-inline sometimes produces false positives from security scanners that are not aware of the modern CSP Version 3 behavior. For more information, see Google's CSP Evaluator documentationExternal LinkThis link leads to an external website and will open in a new tab.

X-Frame-Options

Files.com sets the X-Frame-Options header to SameOrigin on all responses. This allows content to be embedded within our own domain while preventing other websites from embedding our content in an iframe, which would otherwise expose the site to clickjacking attacks.

Strict-Transport-Security (HSTS)

The Strict-Transport-Security (HSTS) header forces all communication with the server to use HTTPS, mitigating the risk of man-in-the-middle attacks. Files.com sets this header on all responses to its own domains so that users always reach the platform over HTTPS.

HSTS is not automatically set for customers using a Custom Domain. You can optionally enable it in that situation.

XSS Protection

The X-XSS-Protection header is a browser-level feature that helps protect against Cross-Site Scripting (XSS) attacks. Modern browsers handle most XSS protection on their own, and Files.com includes this header as an additional layer.

Content-Type-Options

Files.com sets the X-Content-Type-Options header to nosniff, which tells browsers to trust the declared MIME type of a resource rather than guessing one. This prevents content-type confusion attacks, such as executing a malicious file under the wrong MIME type.

Permitted Cross-Domain Policies

The Cross-Origin-Resource-Policy header is set to same-origin, so resources can only be loaded from the same origin as the document. This restricts how resources are shared across origins and reduces the surface for cross-origin resource attacks.

Server

The Server header is set to files.com in all HTTP responses. This is a non-specific server identifier that prevents the leakage of sensitive server details while still satisfying clients and compliance scanners that expect the header.