;transform: ;msFilter:;'%3E%3Cpath d='m20.487 17.14-4.065-3.696a1.001 1.001 0 0 0-1.391.043l-2.393 2.461c-.576-.11-1.734-.471-2.926-1.66-1.192-1.193-1.553-2.354-1.66-2.926l2.459-2.394a1 1 0 0 0 .043-1.391L6.859 3.513a1 1 0 0 0-1.391-.087l-2.17 1.861a1 1 0 0 0-.29.649c-.015.25-.301 6.172 4.291 10.766C11.305 20.707 16.323 21 17.705 21c.202 0 .326-.006.359-.008a.992.992 0 0 0 .648-.291l1.86-2.171a.997.997 0 0 0-.085-1.39z'%3E%3C/path%3E%3C/svg%3E)
I recently spent some time digging into the latest security standards for 2026, and as usual, things have moved on quite a bit from what was considered “best practice” just a couple of years ago. It turns out that simply having a CSP or HSTS header isn’t quite enough anymore if you want to stay ahead of modern threats.
I’ve just overhauled the Header Scanner engine for SiteVitals to reflect these changes. I didn’t want to just add new headers for the sake of it; I wanted to update the “intelligence” behind the scoring so it actually flags the stuff that matters today, like DOM-XSS and side-channel leaks. Here are some notes on what I changed for future reference.
1. Trusted Types (The new CSP baseline)
We’ve been using Content Security Policy (CSP) for years to control where scripts come from, but the focus has shifted toward how scripts execute. Attackers are getting better at DOM-XSS—injecting data directly into “sinks” like .innerHTML.
I’ve updated the scanner to look for require-trusted-types-for 'script'. It essentially forces the browser to block raw strings from hitting dangerous DOM APIs. It’s a bit of a shift in how you write JS, but it kills off an entire category of vulnerabilities that standard CSP filters often miss.
2. Side-Channel Defense (The “Cross-Origin Trio”)
Post-Spectre and Meltdown, the way browsers handle process isolation is a big deal. If your site shares a process with a malicious tab, your data could be at risk via side-channel attacks.
The scanner now looks for what I call the “trio”: COOP, COEP, and CORP. These headers basically isolate your site’s window and resources from everyone else. In 2026, this is the only way to safely enable high-performance features like SharedArrayBuffer.
3. Privacy as Security
With the rollout of the Privacy Sandbox, security and privacy have become pretty intertwined. I’ve added a check for the Permissions-Policy to see if it’s explicitly disabling things like browsing-topics. Unless you’re an ad-tech company, there’s no real reason to let the browser track your users’ interests for ad-targeting.
4. HSTS: Just “On” isn’t enough
Most people have HSTS active, but I’ve updated the logic to nudge you toward the preload directive. Without it, that very first visit to your site is still technically vulnerable to an SSL-strip attack. Preloading ensures the browser knows to only ever use HTTPS before it even tries to connect.
5. Retiring the XSS Auditor
One interesting change: I’m now recommending you set X-XSS-Protection to 0. I know we spent years setting it to 1; mode=block, but modern browsers have deprecated the auditor because it was actually being weaponized to leak information. Setting it to 0 is now the safer bet in 2026.
Summary: The 2026 Header Scorecard
| Header | Old Standard (2022) | 2026 Standard |
|---|---|---|
| CSP | Allow-list domains | Enforce Trusted Types & Nonces |
| HSTS | 1-year max-age | Preloaded & Subdomain-strict |
| XSS | 1; mode=block |
0 (Disabled) |
| Privacy | Not checked | Disable browsing-topics |
Technical Implementation
I thought I’d leave the actual config changes here for reference. These should get you a passing grade on the new audit.
Nginx Configuration
# High-Integrity CSP add_header Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none'; require-trusted-types-for 'script'; frame-ancestors 'none'; base-uri 'self'; form-action 'self';" always; # HSTS with Preload add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; # Privacy & Side-Channel Defense add_header Permissions-Policy "browsing-topics=()" always; add_header Cross-Origin-Opener-Policy "same-origin" always; add_header Cross-Origin-Resource-Policy "same-origin" always; add_header Cross-Origin-Embedder-Policy "require-corp" always; # Legacy Cleanup add_header X-XSS-Protection "0" always; add_header X-Frame-Options "DENY" always;
Apache Configuration (.htaccess)
# 1. High-Integrity CSP Header set Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none'; require-trusted-types-for 'script'; frame-ancestors 'none'; base-uri 'self'; form-action 'self';" # 2. HSTS with Preload Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" # 3. Privacy & Side-Channel Defense Header set Permissions-Policy "browsing-topics=()" Header set Cross-Origin-Opener-Policy "same-origin" Header set Cross-Origin-Resource-Policy "same-origin" Header set Cross-Origin-Embedder-Policy "require-corp" # 4. Legacy Cleanup Header set X-XSS-Protection "0" Header set X-Frame-Options "DENY" Header set X-Content-Type-Options "nosniff"
Hopefully, that’s useful and helps you clear up any warnings in your next audit. If you want to check your own site against these 2026 standards, I’ve put together a free tool that run these exact checks for you:
Run a free scan: SiteVitals Free Security Scanner
