HTTP SECURITY

HEADERS
HTTP Security Headers

• HTTP Headers are a great booster for web security with easy implementation.

• Proper HTTP response headers can help prevent security vulnerabilities like Cross-

Site Scripting, Clickjacking, Information disclosure and more.

• HTTP Security Headers are HTTP response headers that your application can use to

increase the security of your web application by instructing browsers how to handle

your content.

• These are additional pieces of information included in the HTTP response headers

sent by a web server to a client (typically a web browser).

• These headers provide security-related instructions and policies to the browser,

helping to protect web applications and users from various online threats and

vulnerabilities.

• By configuring these headers, web developers and administrators can bolster the

security of their websites and web applications.

• Headers can be grouped according to their contexts:

- Request headers contain more information about the resource to be fetched, or

about the client requesting the resource.

- Response headers hold additional information about the response, like its location

or about the server providing it.

- Representation headers contain information about the body of the resource, like its

MIME type, or encoding/compression applied.

- Payload headers contain representation-independent information about payload

data, including content length and the encoding used for transport.
Different Types of Security Headers:

• Content Security Policy (CSP):

- CSP headers specify which sources of content are permitted to be loaded and

executed on a web page.

- They prevent Cross-Site Scripting (XSS) attacks by restricting the execution of

malicious scripts.

• X-Content-Type-Options:

- This header prevents browsers from interpreting files as different content types

than intended.

- It guards against MIME type sniffing attacks.

• X-Frame-Options:

- X-Frame-Options headers prevent a web page from being displayed within an

iframe on another site.

- This guards against Clickjacking attacks where attackers trick users into

performing actions unknowingly.

• X-XSS-Protection:

- X-XSS-Protection headers enable or disable the built-in XSS (Cross-Site

Scripting) protection mechanisms in web browsers, reducing the risk of reflected

XSS attacks.

• Strict Transport Security (HSTS):

- HSTS headers inform browsers to always use a secure (HTTPS) connection when

communicating with the website, reducing the risk of man-in-the-middle attacks.

• Referrer Policy:

- Referrer Policy headers control what information is included in the HTTP Referer

header when navigating to external sites, enhancing user privacy and preventing

some forms of information leakage.

• Feature-Policy:

- Feature-Policy headers specify which browser features and APIs can be used on a

web page, offering control over capabilities to reduce the risk of security

vulnerabilities.

• Cross-Origin Resource Sharing (CORS):

- CORS headers define which domains are allowed to access resources on a web

page from a different origin, preventing Cross-Origin Request Forgery (CSRF)

and data leakage.

 • Set-Cookie

- The Set-Cookie HTTP response header is used to send a cookie from the server to

the user agent, so the user agent can send it back to the server later.

• Access-Control-Allow-Origin

- The Access-Control-Allow-Origin is a CORS (cross-origin resource sharing)

header.

- This header indicates whether the response it is related to can be shared with

requesting code from the given origin.

• Permissions-Policy (formerly Feature-Policy)

- Permissions-Policy allows you to control which origins can use which browser

features, both in the top-level page and in embedded frames.

• Server

- The Server header describes the software used by the origin server that handled

the request — that is, the server that generated the response.

Importance of Security Headers:

• Mitigating Common Web Vulnerabilities: Security headers help mitigate common

web vulnerabilities such as XSS, CSRF, Clickjacking, and MIME type sniffing

attacks, enhancing the overall security of web applications.

• User Data Protection: They play a crucial role in protecting user data from

unauthorized access, ensuring the confidentiality and integrity of sensitive

information.

• Preventing Data Leakage: Headers like CSP and Referrer Policy prevent the

unintentional leakage of information to external sites, maintaining user privacy.

• Enhancing Trust: Properly configured security headers demonstrate a commitment

to security, building trust among users and potential customers.

• Compliance Requirements: Many security standards and regulations, such as GDPR

and PCI DSS, recommend or require the use of specific security headers as part of

compliance efforts.

• Search Engine Ranking: Search engines may consider the security posture of a

website, including the presence of security headers, when ranking search results.

Implementing security headers can positively impact SEO.

• Protection Against Evolving Threats: As web security threats evolve, security

headers provide an adaptable and proactive defense mechanism, helping websites stay

secure against emerging risks.

References

1. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers

2. https://www.invicti.com/blog/web-security/http-security-headers/

3. https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html