The most important HTTP Security Headers which should be used by all webmasters:
Content-Security-Policyis an effective measure to protect your site from XSS attacks. By whitelisting sources of approved content, you can prevent the browser from loading malicious assets. Directives include upgrade-insecure-requests; , default-src, script-src, style-src, img-src, object-src, plugin-types to specify permitted sources for scripts, CSS stylesheets, and images. A basic CSP header to allow only assets from the local origin is:
Content-Security-Policy: default-src 'self'
X-Frame-Optionsprovide protection against cross-site scripting attacks involving HTML iframes, preventing a browser from framing your site you can defend against attacks like clickjacking. To prevent the webpage from being loaded into any iframes, you would use:
or only for the same origin:
HTTP Strict Transport Securityis an excellent feature to support on your site and strengthens your implementation of TLS by getting the User Agent to enforce the use of HTTPS.
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
X-XSS-Protection: 1; mode=block
X-Content-Type-Optionsstops a browser from trying to MIME-sniff the content type and forces it to stick with the declared content-type. The only valid value for this header is “X-Content-Type-Options: nosniff”. This protects websites from cross-site scripting attacks that abuse MIME sniffing capabilities to provide malicious code disguised as non-executable MIME type.
Referrer Policyis a header that allows a site to control how much information the browser includes with navigations away from a document and should be set by all sites. With next header, the browser will only reveal complete referrer information (including the URL) for same-origin requests:
Permissions Policy(old Feature-Policy) is a new header that allows a site to control which features and APIs can be used in the browser. For example, to ensure that an application can’t use the microphone and camera APIs, you would send the following header:
Permissions-Policy: microphone 'none'; camera 'none'
By specifying the ‘none’ for the origin list, the specified features will be disabled for all browsing contexts (this includes iframes), regardless of their origin!
Here is an example of how these directives could be used in htacess:
Header set Content-Security-Policy "upgrade-insecure-requests; default-src 'self' pixabay.com; script-src 'self' cdnjs.cloudflare.com www.google-analytics.com www.googletagmanager.com; img-src 'self' cdn.pixabay.com www.google-analytics.com; style-src 'self' 'unsafe-inline' fonts.googleapis.com cdnjs.cloudflare.com; font-src 'self' fonts.gstatic.com cdnjs.cloudflare.com; form-action 'self';" Header set Strict-Transport-Security "max-age=31536000;includeSubDomains;" Header set X-Frame-Options SAMEORIGIN Header set X-XSS-Protection "1" Header set X-Content-Type-Options nosniff Header set Referrer-Policy: same-origin Header set Permissions-Policy: "geolocation 'none'; camera 'none'; payment 'none';"