Skip to main content
All CollectionsData Protection
Security & Compliance
Security & Compliance

Learn about our security and compliance module in your admin.

Niall Diamond avatar
Written by Niall Diamond
Updated over a week ago


EvolutionX's Compliance Center, your one-stop destination for essential compliance documents. In an ever-evolving regulatory landscape, we prioritize data security and adherence to industry standards. Our collection of compliance resources, including the EvolutionX Processor Audit, PCI Certificate of Compliance, EvolutionX Infrastructure Highlights, and PCI Attestation of Compliance, empowers you to demonstrate your commitment to data protection and payment security. Download these documents to showcase your dedication to compliance and operational excellence.

Security Headers

Security headers are HTTP response headers that enhance the security of web applications by controlling various aspects of how a web page is displayed and accessed by browsers. These headers help protect against certain types of attacks and provide a way to set security-related policies for a website. I'll explain each of the security headers and provide best practice default values:

  1. Referrer-Policy:

    • Default Value: strict-origin-when-cross-origin

    • Purpose: The Referrer-Policy header controls how much information the browser should include in the HTTP Referer header when a user navigates away from a page. The Referer header typically contains the URL of the page that referred the user to the current page.

    • Best Practice Default Value: strict-origin-when-cross-origin directive is the same as strict-origin, although the HTTP Referer header will not be sent for cross-origin HTTP requests. When no policy is specified then this is the default value. It is also used if the specified directive is not understood.

  2. X-Frame-Options:

    • Default Value: DENY

    • Purpose: The X-Frame-Options header helps prevent clickjacking attacks by specifying whether a web page should be allowed to be displayed in a <frame>, <iframe>, <embed>, or <object>. Setting it to DENY ensures that the page cannot be embedded in any frame.

    • Best Practice Default Value: DENY is a recommended default value to prevent the page from being framed, providing strong security against clickjacking attacks.

  3. Content-Security-Policy:

    • Default Value: There isn't a single "best practice" default value for Content-Security-Policy (CSP) because it depends on the specific needs and requirements of your store. CSP allows you to define a set of directives that control which resources (e.g., scripts, stylesheets, images) can be loaded and executed by the browser. A strict CSP may initially block resources needed by your site, so it should be carefully configured based on your site's functionality.

    • Purpose: CSP is a powerful security feature that can mitigate various types of attacks, including Cross-Site Scripting (XSS) and data injection attacks. It defines a policy that instructs the browser which domains are trusted sources for different types of content and scripts.

Did this answer your question?