Security Useful

HTTP Security Headers Which Should be Used by all Webmasters

The most important HTTP Security Headers which should be used by all webmasters:

  • Content-Security-Policy is an effective measure to protect your site from XSS attacks. By whitelisting sources of approved content, you can prevent the browser from loading malicious assets. Directives include upgrade-insecure-requests;default-src, script-src, style-src, img-srcobject-srcplugin-types to specify permitted sources for scripts, CSS stylesheets, and images. A basic CSP header to allow only assets from the local origin is:
    Content-Security-Policy: default-src 'self'
  • X-Frame-Options provide protection against cross-site scripting attacks involving HTML iframes, preventing a browser from framing your site you can defend against attacks like clickjacking. To prevent the webpage from being loaded into any iframes, you would use:
    X-Frame-Options: deny

    or only for the same origin:

    X-Frame-Options: SAMEORIGIN
  • HTTP Strict Transport Security is an excellent feature to support on your site and strengthens your implementation of TLS by getting the User Agent to enforce the use of HTTPS.
    Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
  • X-XSS-Protection sets the configuration for the XSS Auditor built into older browsers. Was introduced to protect against JavaScript injection attacks through cross-site scripting.  The recommended value was “X-XSS-Protection: 1; mode=block” but the header is now deprecated.
    X-XSS-Protection: 1; mode=block
  • X-Content-Type-Options stops a browser from trying to MIME-sniff the content type and forces it to stick with the declared content-type. The only valid value for this header is “X-Content-Type-Options: nosniff”. This protects websites from cross-site scripting attacks that abuse MIME sniffing capabilities to provide malicious code disguised as non-executable MIME type.
    X-Content-Type-Options: nosniff
  • Referrer Policy is a header that allows a site to control how much information the browser includes with navigations away from a document and should be set by all sites. With next header, the browser will only reveal complete referrer information (including the URL) for same-origin requests:
    Referrer-Policy: origin-when-cross-origin
  • Permissions Policy (old Feature-Policy) is a new header that allows a site to control which features and APIs can be used in the browser. For example, to ensure that an application can’t use the microphone and camera APIs, you would send the following header:
    Permissions-Policy: microphone 'none'; camera 'none'

    By specifying the ‘none’ for the origin list, the specified features will be disabled for all browsing contexts (this includes iframes), regardless of their origin!


Here is an example of how these directives could be used in htacess:

Header set Content-Security-Policy "upgrade-insecure-requests; default-src 'self'; script-src 'self'; img-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self'; form-action 'self';"
Header set Strict-Transport-Security "max-age=31536000;includeSubDomains;"
Header set X-Frame-Options SAMEORIGIN
Header set X-XSS-Protection "1"
Header set X-Content-Type-Options nosniff
Header set Referrer-Policy: same-origin
Header set Permissions-Policy: "geolocation 'none'; camera 'none'; payment 'none';"

Leave a Reply

Your email address will not be published. Required fields are marked *