HTTP security headers are a crucial part of website security. They protect you against the types of attacks like XSS, code injection, clickjacking, etc.
What are HTTP Security Headers?
When a user visits a site through his/her browser, the server responds with HTTP Response Headers. These headers tell the browser how to function during communication with the site.
Let’s have a look at five security headers that will give your site some much-needed protection.
1. HTTP Strict Transport Security (HSTS)
The HSTS header prevents web browsers from accessing web servers over non-HTTPS connections. This helps prevent SSLstrip attacks when hackers launch a Man-in-the-Middle to redirect all traffic as unencrypted HTTP. HSTS avoids this by telling your browser that it must always use encryption. You should definitely deploy it, so that regular HTTP traffic gets redirected to the secured, HTTPS site.
Strict-Transport-Security: max-age=; includeSubDomains
Strict-Transport-Security: max-age=; preload
2. Content Security Policy
The content-security-policy HTTP header provides an additional layer of security. This policy helps prevent attacks such as Cross Site Scripting (XSS) and other code injection attacks by defining content sources which are approved and thus allowing the browser to load them.
Content-Security-Policy: <policy-directive>; <policy-directive>
3. Cross Site Scripting Protection (X-XSS)
The x-xss-protection header is designed to enable the cross-site scripting (XSS) filter built into modern web browsers. This is usually enabled by default, but using it will enforce it. It is supported by Internet Explorer 8+, Chrome, and Safari. Here is an example of what the header looks like.
X-XSS-Protection: 1; mode=block
X-XSS-Protection: 1; report=
The x-frame-options header provides clickjacking protection by not allowing iframes to load on your site. It is supported by IE 8+, Chrome 4.1+, Firefox 3.6.9+, Opera 10.5+, Safari 4+. Here is an example of what the header looks like.
X-Frame-Options: ALLOW-FROM https://example.com/
The x-content-type header prevents Internet Explorer and Google Chrome from sniffing a response away from the declared content-type. This helps reduce the danger of drive-by downloads and helps treat the content the right way. Here is an example of what the header looks like.