When was this last updated?

This page was last updated 2026-04-03.

See the full changelog in the article above.

Headers

HTTP Security Headers 2026 — What Changed, What's New

Security header support and browser enforcement changes every year. Here is what changed in 2025–2026 — what tightened, what was deprecated, and what newly matters.

Last updated: 2026-04-03. Covers Chrome 120–131, Firefox 120–133, Safari 17–18, Edge 120–131.

What changed in 2025–2026

Permissions-Policy — interest-cohort removed

The interest-cohort feature (Google's FLoC) was deprecated. Chrome 115+ ignores it. You can keep interest-cohort=() in your header — it does no harm — but it no longer controls anything. The relevant current features are browsing-topics and attribution-reporting.

X-XSS-Protection deprecated

Chrome 78+ removed the XSS Auditor. Firefox never implemented it. The X-XSS-Protection header is now deprecated and ignored by all major browsers. Remove it from your config — it provides no protection and in some edge cases could create vulnerabilities on older browsers. Replace it with a strict CSP.

COEP credentialless — broader support

Cross-Origin-Embedder-Policy: credentialless is now supported in Chrome 96+, Edge 96+, and Firefox 119+. This is easier to deploy than require-corp because it does not require third-party resources to set CORP headers — they are loaded without credentials instead.

CSP frame-ancestors — now preferred over X-Frame-Options

All major browsers now support CSP frame-ancestors and use it when both headers are present, ignoring X-Frame-Options. Keep both for IE and legacy browser coverage, but CSP frame-ancestors is the canonical solution.

HSTS preload list — stricter minimum max-age

The HSTS preload list now requires a minimum max-age of 1 year (31536000 seconds). Sites submitted with lower values are rejected. Sites already on the list with lower values are being contacted to update.

Permissions-Policy — new features added

Several new features were added to the Permissions-Policy spec in 2025:

speaker-selection — controls access to audio output device enumeration
window-management — controls multi-screen window placement API
local-fonts — controls access to locally installed fonts
idle-detection — controls the Idle Detection API

Current recommended headers (2026)

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Content-Security-Policy: default-src 'self'; script-src 'self' 'nonce-{nonce}'; ...
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: camera=(), microphone=(), geolocation=(), interest-cohort=()
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Embedder-Policy: credentialless

# Remove these — deprecated:
# X-XSS-Protection: 1; mode=block  ← remove

What to watch in 2026

Fetch Metadata headers (Sec-Fetch-*) — browsers send these automatically, servers can use them for CSRF protection
Origin-Agent-Cluster — keyed origin isolation, improving on the COOP/COEP model
CSP Trusted Types — Firefox implementation progressing but still incomplete
Private Network Access — Chrome enforcing stricter controls on requests to private network addresses from public pages

Verify your config → HttpFixer Tools