HTTP Security Headers 2026 — What Changed, What's New
Security header support and browser enforcement changes every year. Here is what changed in 2025–2026 — what tightened, what was deprecated, and what newly matters.
What changed in 2025–2026
Permissions-Policy — interest-cohort removed
The interest-cohort feature (Google's FLoC) was deprecated. Chrome 115+ ignores it. You can keep interest-cohort=() in your header — it does no harm — but it no longer controls anything. The relevant current features are browsing-topics and attribution-reporting.
X-XSS-Protection deprecated
Chrome 78+ removed the XSS Auditor. Firefox never implemented it. The X-XSS-Protection header is now deprecated and ignored by all major browsers. Remove it from your config — it provides no protection and in some edge cases could create vulnerabilities on older browsers. Replace it with a strict CSP.
COEP credentialless — broader support
Cross-Origin-Embedder-Policy: credentialless is now supported in Chrome 96+, Edge 96+, and Firefox 119+. This is easier to deploy than require-corp because it does not require third-party resources to set CORP headers — they are loaded without credentials instead.
CSP frame-ancestors — now preferred over X-Frame-Options
All major browsers now support CSP frame-ancestors and use it when both headers are present, ignoring X-Frame-Options. Keep both for IE and legacy browser coverage, but CSP frame-ancestors is the canonical solution.
HSTS preload list — stricter minimum max-age
The HSTS preload list now requires a minimum max-age of 1 year (31536000 seconds). Sites submitted with lower values are rejected. Sites already on the list with lower values are being contacted to update.
Permissions-Policy — new features added
Several new features were added to the Permissions-Policy spec in 2025:
speaker-selection— controls access to audio output device enumerationwindow-management— controls multi-screen window placement APIlocal-fonts— controls access to locally installed fontsidle-detection— controls the Idle Detection API
Current suggested headers (2026)
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Content-Security-Policy: default-src 'self'; script-src 'self' 'nonce-{nonce}'; ...
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: camera=(), microphone=(), geolocation=(), interest-cohort=()
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Embedder-Policy: credentialless
# Remove these — deprecated:
# X-XSS-Protection: 1; mode=block ← remove
What to watch in 2026
- Fetch Metadata headers (
Sec-Fetch-*) — browsers send these automatically, servers can use them for CSRF protection - Origin-Agent-Cluster — keyed origin isolation, improving on the COOP/COEP model
- CSP Trusted Types — Firefox implementation progressing but still incomplete
- Private Network Access — Chrome enforcing stricter controls on requests to private network addresses from public pages
Recommended security headers for 2026
Based on current browser support and OWASP guidelines, these are the headers every site should set in 2026:
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Content-Security-Policy: default-src 'self'; frame-ancestors 'none'; object-src 'none'; upgrade-insecure-requests X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN Referrer-Policy: strict-origin-when-cross-origin Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=() Cross-Origin-Opener-Policy: same-origin Cross-Origin-Resource-Policy: same-origin
Headers deprecated or changed in 2025-2026
| Header | Status | Replacement |
|---|---|---|
| X-XSS-Protection | Deprecated | CSP script-src — modern browsersemoved the XSS auditor |
| Expect-CT | Deprecated June 2021, removed 2023 | Certificate Transparency is now enforced by browsers automatically |
| Feature-Policy | Renamed | Permissions-Policy — same functionality, new name |
| Public-Key-Pins (HPKP) | Removed | Never use — caused permanent site lockouts, removed from all browsers |
Browser enforcement changes in 2025-2026
- Chrome 120+ — Partitioned cookies (CHIPS) now default. Third-party cookies in iframes require
Partitionedattribute. - Safari 17+ — Stricter SameSite=None enforcement. Cookies without Secure flag rejected.
- Firefox 120+ — Total Cookie Protection enabled by default. Cross-site cookies isolated per site.
- All browsers —
stale-while-revalidatenow universally supported (Saas the last holdout). - Chrome 117+ — Private Network Access headers required for requests from public to private networks.
New headers worth implementing in 2026
| Header | What it does | Browser support |
|---|---|---|
Cross-Origin-Opener-Policy | Prevents cross-origin tab-napping via window.opener | Chrome 83+, Firefox 79+, Safari 15.2+ |
Cross-Origin-Resource-Policy | Prevents cross-origin reads of your resources | Chrome 73+, Firefox 74+, Safari 12+ |
Cross-Origin-Embedder-Policy | Required for SharedArrayBuffer and high-res timers | Chrome 83+, Firefox 79+, Safari 15.2+ |
Origin-Agent-Cluster | Requests process isolation from same-origin pages | Chrome 88+, Firefox 100+ |