Home/ Glossary/ X-Permitted-Cross-Domain-Policies

X-Permitted-Cross-Domain-Policies (X-Permitted-Cross-Domain-Policies)

Security Glossary - Security Headers

Definition: X-Permitted-Cross-Domain-Policies controls whether Adobe Flash and Adobe Acrobat can load data from your domain. Setting it to none prevents these plugins from making cross-domain requests to your server. While Flash is no longer supported, this header prevents any residual risk from legacy plugin behavior.

The Importance of X-Permitted-Cross-Domain-Policies

This header was primarily needed when Adobe Flash was prevalent. Flash used crossdomain.xml files to determine whether cross-domain data access was allowed. A permissive crossdomain.xml could allow any Flash application on any website to load data from your server, potentially accessing sensitive information.

With Flash officially discontinued and removed from all modern browsers, the security risk this header addresses is minimal. However, setting X-Permitted-Cross-Domain-Policies: none is still recommended as a defense-in-depth measure. It costs nothing to include and prevents any edge case involving legacy PDF viewers or Flash remnants.

Security scanners still check for this header and flag its absence. Including it is a trivial configuration change that satisfies scanner requirements and provides marginal protection at no cost.

Checking Your Setup

A security audit checks for this header. Set X-Permitted-Cross-Domain-Policies: none unless you specifically need Adobe products to access your server's resources cross-domain, which is extremely rare in modern web applications.

Run a Security Audit

X-Permitted-Cross-Domain-Policies FAQ

Do I still need this header now that Flash is dead?
The risk is minimal, but setting it to none is a trivial defense-in-depth measure. It prevents any residual risk from legacy PDF plugins or enterprise environments that might still have Flash remnants.
What are the possible values?
The values are: none (no cross-domain policy files allowed), master-only (only the root crossdomain.xml is allowed), by-content-type (only policies with correct Content-Type), by-ftp-filename (FTP only), and all (all policy files allowed). Use none for maximum security.

Related Concepts

Security Headers Overview Cross-Origin Resource Sharing Content Security Policy X-Content-Type-Options X-Frame-Options
Disclaimer: DomainOptic provides automated informational scans only. Results do not constitute professional security advice, compliance certification, or a guarantee of security. Always verify findings independently.