HTTP Security Headers
Security headers are HTTP response headers that define whether a set of security precautions should be activated or deactivated on the web browser.
These headers can be implemented in order to prevent certain classes of attack and in order to improve the overall security of the application.
Content-Security-Policy Headerβ
This is an extra layer of security against multiple vulnerabilities such as cross-site scripting (XSS), Clickjacking, Protocol Downgrading and Frame Injection.
It is a declarative policy that allows the application to inform the client of expected resource sources (scripts, stylesheets, images, fonts, objects, media (audio, video), iframes, and more).
It appears that CSP will become the most significant tool for client side security in the near future, since it provides a substitute for security headers, such as X-Frame-Options and X-XSS-Protection, that arenβt enabled by default.
The following HTTP response header can be used to enforce a content security policy:
Content-Security-Policy: default-src 'self'
This is the most basic policy possible and assumes that all resources are hosted by the origin as the affected page and that there are no instances of inline script blocks or evals for scripts and style resources.
This policy can be also added as a meta tag inside the html head:
<meta http-equiv="Content-Security-Policy" content="default-src 'self'" />
CSP delivery through HTTP response supports some extra features compared to delivery via a HTML meta element, such as
Content-Security-Policy-Report-Onlyandreport-uri,frame-ancestors, and sandbox directives.
To supports some versions of IE you also need to specify X-Content-Security-Policy header with the same value.
Other headersβ
X-DNS-Prefetch-Controlβ
This header allows browsers to improve domain name resolution on external links, images, CSS, JavaScript, and more. This prefetching is performed in the background, so the DNS is more likely to be resolved by the time the referenced items are needed. This reduces latency when the user clicks a link.
X-DNS-Prefetch-Control: on
Strict-Transport-Securityβ
This header informs browsers it should only be accessed using HTTPS, instead of using HTTP. This blocks access to pages or subdomains that can only be served over HTTP.
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
(force HTTPS for 2 years)
X-XSS-Protectionβ
It is a feature of browsers that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks.
Although this protection is not necessary when sites implement a strong Content-Security-Policy.
X-XSS-Protection: 1; mode=block
X-Frame-Optionsβ
This header indicates whether the site should be allowed to be displayed within an iframe. This can prevent against clickjacking attacks.
This header can be used to prevent the application from being framed in undesirable locations.
Although this protection is superseded when sites implement frame-ancestors option in Content-Security-Policy header, which has better support in modern browsers.
X-Frame-Options: DENY
or
X-Frame-Options: SAMEORIGIN
Permissions-Policyβ
This header allows the site to control which features and APIs can be used in the browser (enabled or prevented from loading).
You can use this tool to view the full list of permission options and generate a valid Permissions Policy HTTP Header.
Permissions-Policy: accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), geolocation=(), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=()
(all features disabled)
X-Content-Type-Optionsβ
Prevents the browser from attempting to guess the type of content if the Content-Type header is not explicitly set.
This protection prevents Content-sniffing that can lead to certain exposures such as an increased chance of XSS and of drive-by download attacks.
X-Content-Type-Options: nosniff
Referrer-Policyβ
Referrer Policy is a header that allows a site to control how much information the browser includes when a user navigates from the current website (origin) to another.
By default, browsers will put the full URL of the origin in the Referrer header sent to site that the user is navigating to.
The following HTTP response header can be used to prevent disclosing potential sensitive information to third party websites:
Referrer-Policy: strict-origin-when-cross-origin
Cacheable HTTPS Responseβ
Unless directed otherwise, browsers may store a local cached copy of content received from web servers, potentially leaving sensitive data accessible to third parties.
Applications should return caching directives instructing browsers not to store local copies of any sensitive data.
Cache-control: no-store
Pragma: no-cache
Scan site for a security reportβ
With this tool you can scan the security headers from a website giving you a report of the current status.