Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Security-related HTTP headers

By default, cloud.gov sets several security-related HTTP headers if your application does not:

X-Frame-Options: DENY
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=31536000

These headers reflect some of the main recommendations of the OWASP Secure Headers Project. Many web application security scanners (commonly implemented to help fulfill RA-5) identify lack of these headers as a potential vulnerability, so cloud.gov sets them by default to support your application’s security and security compliance.

To override any of these headers, you can set them to a different value in your application. To omit the X-Frame-Options header entirely, you can set its value to ALLOWALL . Details on the behavior of HTTP headers.