All docs

The Security Vault

Documentation on HSTS, CSP, and XFO headers.

Integrity is the third pillar of the Vellum Standards. The Security Vault documents the headers and policies we expect on every Heritage-tier site: HSTS, CSP, and X-Frame-Options (XFO).

Why These Headers Matter

Without the right security headers, your application is exposed to:

  • Downgrade attacks — HTTP used instead of HTTPS.
  • Content injection — XSS and related attacks when CSP is missing or weak.
  • Clickjacking — UI overlays when XFO is not set.

The Security Vault defines the minimum configuration we consider acceptable for Heritage status.

HSTS (Strict-Transport-Security)

Purpose: Force browsers to use HTTPS only when talking to your domain.

What we expect:

  • Header present: Strict-Transport-Security
  • max-age set (e.g. max-age=31536000; includeSubDomains)
  • Served over HTTPS

Example:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

CSP (Content-Security-Policy)

Purpose: Restrict which sources can load scripts, styles, and other resources—reducing XSS and injection risk.

What we expect:

  • Header present: Content-Security-Policy (or a nonce/hash-based policy)
  • Policy is not overly permissive (e.g. no * for script-src in production)
  • Report URI or reporting optional but recommended

Example (minimal):

Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline';

Tighten as needed for your app; Scribe Sentinel flags obviously unsafe policies.

X-Frame-Options (XFO)

Purpose: Prevent your pages from being embedded in iframes on other domains (clickjacking).

What we expect:

  • Header present: X-Frame-Options
  • Value: DENY or SAMEORIGIN (prefer DENY unless you need same-origin framing)

Example:

X-Frame-Options: DENY

Additional Headers We Check

  • X-Content-Type-Options: nosniff — Prevents MIME sniffing.
  • Referrer-Policy — Controls referrer information (recommended: strict-origin-when-cross-origin or stricter).

How Scribe Sentinel Uses This

When you run a Quick Audit or when Scribe Sentinel runs on a schedule, we verify that your responses include these headers and that their values meet the thresholds above. Failures appear in your Scribe Sentinel report and affect your Heritage Grade.

Related