top of page

HTTP Security Headers: A complete guide to HTTP headers

Updated: May 21

Why did the HTTP security headers go to therapy? They had major 'insecurity' issues!

HTTP headers are an integral part of the Hypertext Transfer Protocol (HTTP), the foundation of data communication on the World Wide Web. HTTP headers are lines of additional information included in an HTTP request (a.k.a. HTTP request headers) or response (a.k.a. HTTP response headers). They provide essential details about the request or response, allowing the client and server to communicate effectively.


HTTP headers consist of a key-value pair, where the key represents the specific information being conveyed, and the value provides the associated data. The sender includes these headers as part of the header section of the HTTP message.

There are various types of HTTP headers, each serving a specific purpose. Here are some commonly used headers and their functions:


  • Content-Length: This header defines the size of the message body in bytes.

  • User-Agent: Identifies the software (e.g., a web browser) requesting the HTTP.

  • Accept: Specifies the media types the client can understand and accept in the response.

  • Location: Used in HTTP redirects to provide the new URL to the client.

  • Server: Indicates the software or server name that is handling the request.


HTTP request and response headers enable various functionalities, such as content negotiation, caching, authentication, and session management. They play a critical role in facilitating communication between clients and servers, ensuring the efficient exchange of information and proper handling of requests and responses.


HTTP Headers are crucial in enhancing web security and are one of the most straightforward security measures anyone can implement. Employing appropriate HTTP response headers can mitigate potential security risks such as Cross-Site Scripting (XSS), Clickjacking, Information disclosure, and many other vulnerabilities. These headers act as a powerful first shield, safeguarding web applications and protecting them from malicious attacks.


This blog acts as a centralized repository of all HTTP request and response headers relevant to the security of a web domain or page. Here is a quick compilation of what is discussed in this blog:



Access-Control-Allow-Origin HTTP Security Header


The 'Access-Control-Allow-Origin' response header indicates whether the server allows sharing the response with code from a specific origin, enforcing security by controlling cross-origin resource sharing (CORS).


The Cross-Origin Resource Sharing (CORS) mechanism relies on the Access-Control-Allow-Origin header. This header determines if the code from a particular origin can share the requested resource.


For instance, when siteA asks for a resource from siteB, the response from siteB includes the Access-Control-Allow-Origin header to indicate whether siteA can access and retrieve the resource. The Same Origin Policy (SOP) will block the request if this header denies access.


Access-Control-Allow-Origin Security Header
Access-Control-Allow-Origin Security Header

By default, websites are protected by the Same Origin Policy (SOP), which restricts sharing of resources between different origins. However, the Access-Control-Allow-Origin header allows for relaxing this control in specific scenarios.


Access-Control-Allow-Origin: *

The "Access-Control-Allow-Origin" response header permits code from any origin to access a specific resource, enhancing cross-origin accessibility and flexibility. Its inclusion in the response signals unrestricted access. In the above example, setting the Access-Control-Allow-Origin header value to "*" might seem convenient, but it's like leaving the door of our website wide open for everyone. Just like we wouldn't give our house keys to strangers, we shouldn't grant unrestricted access to web resources.


By using "*" as the value, we allow any website to make requests to our server, opening the door to potential security vulnerabilities like Cross-Site Request Forgery (CSRF) and Cross-Site Script Inclusion (XSSI). In order to maintain a strong security posture, it's essential to be selective and verify the origins in the header. Doing so will allow us to retain control over which websites can securely access our resources.


Access-Control-Allow-Origin: https://darkrelay.com

The response includes the "Access-Control-Allow-Origin" header, allowing the browser to permit code from the specific origin "https://darkrelay.com" to access the requested resource, enabling secure cross-origin access.

The server compares the "Origin" request header against a list of allowed origins. Suppose the "Origin" value is found in the list. In that case, the server sets the "Access-Control-Allow-Origin" value to match the "Origin" value, limiting the allowed origins for secure cross-origin communication.


Content-Type Header


The "Content-Type" header specifies the resource's media type being sent or requested. It brings a security feature by ensuring proper handling and interpretation of the data, helping to prevent malicious content execution or misinterpretation by the recipient.


Content Type Header
Content Type Header

The Content-Type header is vital for web security as it specifies the original media type of a resource before content encoding. It ensures proper interpretation by the client and helps prevent security risks like Cross-Site Scripting (XSS).


Content-Type: text/html; charset=UTF-8
Content-Type: multipart/form-data; boundary=sample

Explaining directives for Content Type Header


Media-type

The "Content-Type" header provides information about the specific data type or resource being sent or received using the MIME (Multipurpose Internet Mail Extensions) type. For more information on MIME type please refer here.


Charset

The "charset" refers to the character encoding standard used for the data. It specifies how the characters within the content should be interpreted and displayed, with lowercase characters being the preferred format.

Boundary

The "boundary" directive is necessary for multipart entities. It comprises 1 to 70 robust characters (excluding whitespace) and encloses the boundaries of message parts, often prefixed and suffixed with two dashes.


It is imperative to pay attention to the Content-Type header when handling untrusted resources meant to be rendered by the client. By setting the appropriate Content-Type, developers can mitigate the possibility of XSS attacks and maintain the security and reliability of their web applications.


Content-Security-Policy (CSP) Security Header


A content Security Policy (CSP) is a security measure that detects and mitigates attacks like Cross-Site Scripting (XSS) and data injection. It protects against data theft, site defacement, and malware distribution by enforcing strict rules on how resources are loaded and executed on a website.


Content-Security-Policy Header
Content-Security-Policy Header

Content Security Policy common values explained


Content-Security-Policy: policy

This value of Content Security Policy (CSP) specifies that a string consisting of policy directives defines the website's security policy rules.


Content-Security-Policy: default-src 'self'

With this value, the website administrator aims to restrict content to be sourced exclusively from the site's origin, excluding subdomains.


Content-Security-Policy: default-src 'self' example.com *.example.com

The website administrator intends to permit content from a trusted domain and all of its subdomains, regardless of whether it is the same domain on which the CSP header is set.


Content-Security-Policy: default-src 'self'; img-src *; media-src example.org example.net; script-src userscripts.example.com

The website administrator desires to enable web application users to include images from any origin in their content while limiting audio or video media to trusted providers and allowing scripts only from a specific server hosting trusted code.


Content-Security-Policy: default-src https://darkrelay.com

The website administrator of a dark-relay site aims to enforce TLS (Transport Layer Security) for loading all content, safeguarding against eavesdropping attacks by preventing unauthorized access to requests.


Content-Security-Policy: default-src 'self' *.example.com; img-src *

Using the above value, the website administrator of a webmail site intends to permit HTML and images in emails but restrict the inclusion of JavaScript or other potentially harmful content for security reasons. The CSP does not explicitly specify a "script-src" directive in this example. As a result, the "default-src" directive is utilized, restricting scripts to load exclusively from the server of origin.


The report JSON object, sent with the "application/csp-report" Content-Type, contains essential data, including the:

  • blocked URI

  • disposition

  • document URI

  • effective directive

  • original policy

  • referrer (deprecated)

  • script sample

  • status code

  • violated directive (deprecated).

It provides insights into the resources of the Content Security Policy blocks, enforcement details, and relevant contextual information.


It's important to note that implementing the CSP header is most relevant for pages that can load and interpret scripts and code. However, it may hold little significance in the response of a REST API that solely returns content without rendering it.


Cross-Origin-Embedder-Policy Security Header


The Cross-Origin-Embedder-Policy (COEP) response header controls the embedding of cross-origin resources in the document.

It is important to note that enabling the COEP header may block cross-origin resources that are not adequately configured to grant permission. This mechanism acts as a security measure, protecting against potential risks associated with unauthorized resource loading and cross-origin attacks.

Cross-Origin-Embedder-Policy: unsafe-none | require-corp | credentialless

Explaining COEP directives


  • Unsafe-none: This default value allows the document to fetch cross-origin resources without requiring explicit permission through the CORS protocol or the Cross-Origin-Resource-Policy header.

  • Require-corp: This value specification ensures that a document can only load resources from the same origin or explicitly marked as loadable from another origin. If a cross-origin resource supports CORS, either the cross-origin attribute or the Cross-Origin-Resource-Policy header must load it without COEP blocking it.

  • Credentialless: When making no-cors cross-origin requests, credentials such as cookies are not included in the request and are ignored in the response. The responses are allowed without explicit permission but must adhere to the Cross-Origin-Resource-Policy header. For navigate responses, they behave similarly to the require-corp mode, which requires the Cross-Origin-Resource-Policy response header.


To effectively implement the COEP header, careful consideration must be given to the configuration of cross-origin resources and their permissions. Following best practices and ensuring the necessary policies are correctly set to allow the desired cross-origin resource interactions while blocking unauthorized access is crucial.


Cross-Origin-Resource-Policy Security Header


Cross-Origin Resource Policy (CORP) is a protection mechanism enabled through the Cross-Origin-Resource-Policy HTTP header. It safeguards websites and applications against specific requests from other origins, reducing the risk of speculative side-channel attacks (e.g., Spectre) and Cross-Site Script Inclusion attacks.

The CORP header is particularly effective in mitigating the risks associated with cross-origin attacks, where an attacker attempts to exploit vulnerabilities in a different origin to gain unauthorized access or extract sensitive information. By restricting the inclusion of resources to trusted origins, the CORP header prevents malicious actors from executing malicious code within their context.


Cross-Origin-Resource-Policy: same-site | same-origin | cross-origin

CORS Header Usage


  • same-site: Only same-site requests can access the resource, as enforced by Cross-Origin Resource Policy.

  • Same-origin: The resource can only be accessed by requests from the same origin (scheme + host + port), as defined by Cross-Origin Resource Policy.

  • Cross-origin: Requests from any origin, whether from the same site or a cross-site origin, can read the resource as per the Cross-Origin Resource Policy.


Configuring the CORP header (properly) ensures that only authorized and trusted origins can include resources. By implementing this header, web applications can significantly reduce the potential attack surface and enhance their overall security.


Cross-Origin-Opener-Policy Security Header


The Cross-Origin-Opener-Policy (COOP) header in HTTP allows us to prevent a top-level document from sharing a browsing context group with cross-origin documents.


The implementation of the HTTP Cross-Origin-Opener-Policy (COOP) response header serves as a vital safeguard, ensuring that a top-level document maintains strict isolation from cross-origin documents, thereby thwarting any unauthorized sharing of browsing context groups and safeguarding against plagiarism or illicit replication. It is an important security measure that works with Cross-Origin-Embedder-Policy (COEP) and Cross-Origin-Resource-Policy (CORP) headers.


Cross-Origin-Opener-Policy Header
Cross-Origin-Opener-Policy Header

This header plays a crucial role in safeguarding against attacks such as Spectre, which can potentially breach the security boundaries established by the Same Origin Policy (SOP) for resources within the same browsing context group.


Cross-Origin-Opener-Policy: unsafe-none
Cross-Origin-Opener-Policy: same-origin-allow-popups
Cross-Origin-Opener-Policy: same-origin

Explaining directives for COOP Header


  • unsafe-none: This is the default behaviour where a document can be added to its opener's browsing context group unless it has a COOP of same-origin or same-origin-allow-popups.

  • Same-origin-allow-popups: Retains references to the newly opened windows or tabs that either don't set COOP or those that opt out of isolation by setting a COOP header with a value of "unsafe-none".

  • Same-origin: This isolates the browsing context exclusively to same-origin documents, preventing cross-origin documents from being loaded in the same context.


The Cross-Origin-Opener-Policy (COOP) header protects by preventing cross-origin documents from sharing a browsing context group with a top-level document. It works with related headers to enhance web browsing security and mitigate risks associated with cross-origin attacks.


Set-Cookie Header


The Set-Cookie HTTP response header sends a cookie from the server to the user's browser, allowing the server to store information for future requests. Multiple cookies can be sent by including multiple Set-Cookie headers in the response.


Set-Cookie Header
Set-Cookie Header

While the Set-Cookie header is not categorized as a security header, its security attributes/flags are critical in ensuring secure session management and protection against potential vulnerabilities.


Set-Cookie: <cookie-name>=<cookie-value>
Set-Cookie: <cookie-name>=<cookie-value>; Domain=<domain-value>
Set-Cookie: <cookie-name>=<cookie-value>; Expires=<date>
Set-Cookie: <cookie-name>=<cookie-value>; HttpOnly
Set-Cookie: <cookie-name>=<cookie-value>; Max-Age=<number>
Set-Cookie: <cookie-name>=<cookie-value>; Partitioned
Set-Cookie: <cookie-name>=<cookie-value>; Path=<path-value>
Set-Cookie: <cookie-name>=<cookie-value>; Secure

Set-Cookie: <cookie-name>=<cookie-value>; SameSite=Strict
Set-Cookie: <cookie-name>=<cookie-value>; SameSite=Lax
Set-Cookie: <cookie-name>=<cookie-value>; SameSite=None; Secure
// Multiple attributes are also possible, for example:
Set-Cookie: <cookie-name>=<cookie-value>; Domain=<domain-value>; Secure; HttpOnly

Explaining Attributes of Set-Cookie Header


max-age=<number>

The Max-Age attribute specifies the number of seconds until a cookie expires. A value of zero or a negative number will immediately expire the cookie. If both Expires and Max-Age are set, Max-Age takes precedence.


Httponly

The HttpOnly attribute restricts JavaScript access to a cookie by accessing it through the Document.cookie property. However, it does not prevent the cookie from being sent with JavaScript-initiated requests like XMLHttpRequest or fetch. This attribute helps mitigate cross-site scripting (XSS) attacks.


Secure

The "Secure" attribute helps us ensure that the cookie is only presented to the server when a request is made over the HTTPS scheme (except on localhost), making it more secure against man-in-the-middle attacks.

Set-Cookie: id=a3fWa; Expires=Wed, 21 Oct 2015 07:28:00 GMT
Set-Cookie: id=a3fWa; Max-Age=2592000

Same-site

  1. Strict: When the SameSite property is set to "Strict," the cookie will, as it were, be sent in demands if they begin from the same location as the one that set the cookie. Cross-site demands, such as those from third-party websites, will not incorporate the cookie. This successfully avoids CSRF assaults where an aggressor traps a user's browser into making unauthorized activities on another site.

  2. Lax: With the SameSite attribute set to "Lax," the cookie can be sent in cross-site requests but only for top-level navigations (e.g., clicking on a link). However, cross-site requests initiated by other means, such as those made by third-party resources (like images or scripts), will not include the cookie. This provides a good balance between security and usability.

  3. None: Setting the SameSite property to "None" permits the cookie to be sent in all cross-site demands, typically utilized when web applications have to be back in scenarios where treats are required for verification or other functionalities in cross-origin settings. Web admins should utilize this header wisely because it can open up security flaws, mainly if the cookie contains sensitive data.


Partitioned

The SameSite attribute can be altered to a "None" value to indicate that the cookie should be stored using partitioned storage.


Permanent cookies, a.k.a. persistent cookies, are not removed when the client is closed. They are either deleted at a specific date defined by the Expires attribute or after a specific length of time specified by the Max-Age attribute.

// Both accepted when from a secure origin (HTTPS)
Set-Cookie: __Secure-ID=123; Secure; Domain=example.com
Set-Cookie: __Host-ID=123; Secure; Path=/


// Rejected due to missing Secure attribute
Set-Cookie: __Secure-id=1


// Rejected due to the missing Path=/ attribute
Set-Cookie: __Host-id=1; Secure
// Rejected due to setting a Domain
Set-Cookie: __Host-id=1; Secure; Path=/; Domain=example.com

Cookies with names prefixed with "__Secure-" or "__Host-" have special restrictions to enhance security. These cookies can only be used if they are set with the "secure" attribute from a secure (HTTPS) origin.

Furthermore, cookies with the "__Host-" prefix must have a path of "/" (meaning any path at the host) and must not include a Domain attribute. These additional constraints help prevent certain types of security vulnerabilities.


It is recommended to refer to the Session Management Cheat Sheet to ensure the secure handling of cookies, which provides detailed explanations and best practices for configuring cookie settings. By following these guidelines, you can establish proper cookie management and enhance the security of your web applications.

Strict-Transport-Security (HSTS) Security Header


The HTTP Strict-Transport-Security (HSTS) response header instructs browsers to access the site exclusively via HTTPS, automatically converting any HTTP attempts to HTTPS for enhanced security.


Websites use the HTTP Strict-Transport-Security (HSTS) response header to enforce secure communication by instructing browsers to access the website via HTTPS instead of HTTP. This ensures a secure browsing experience by setting a long duration for HSTS, including subdomains and enabling preloading.


Strict-Transport-Security: max-age=<expire-time>
Strict-Transport-Security: max-age=<expire-time>; includeSubDomains
Strict-Transport-Security: max-age=<expire-time>; includeSubDomains; preload

Strict-Transport-Security(HSTS) Security Header
Strict-Transport-Security(HSTS) Security Header

Explaining directives for HSTS Header


  • max-age=<expire-time>: The specified duration, in seconds, determines how long the browser should remember that the site can only be accessed using HTTPS.

  • includeSubDomains: By providing this optional parameter, the rule also extends to encompass all site subdomains.

  • Preload: When we use preload, we must set the max-age directive to a minimum of 31536000 (1 year) and include the includeSubDomains directive.


Strict-Transport-Security: max-age=31536000; includeSubDomains

All present and future subdomains will enforce HTTPS for one year (max-age=31536000) with the configuration specified. This prevents access to pages or subdomains that can only be served over HTTP.


Strict-Transport-Security: max-age=63072000; includeSubDomains; preload

In this example, the max-age is set to 2 years, followed by the "preload" suffix. Including "preload" is essential for adding the site to the HSTS preload lists of major web browsers such as Chromium, Edge, and Firefox.


SSL Stripping Attack
SSL Stripping Attack

However, it is crucial to thoroughly understand how the HSTS header works before implementing it. Misconfiguration or issues with the SSL/TLS certificate could result in legitimate users being unable to access the website. For instance, if the HSTS header has an extended duration, and the SSL/TLS certificate expires or is revoked, users may be locked out until the HSTS duration has expired.

Referrer-Policy Header


The Referrer-Policy HTTP header governs the extent of referrer information included in requests specified by the Referer header. In addition to setting this policy via the HTTP header, it can also be configured within HTML.


The Referrer-Policy HTTP header manages the level of referrer information included in requests through the Referer header. This header allows control over how much detail should be disclosed, such as origin, path, and query string.


Referrer-Policy: no-referrer
Referrer-Policy: no-referrer-when-downgrade
Referrer-Policy: origin
Referrer-Policy: origin-when-cross-origin
Referrer-Policy: same-origin
Referrer-Policy: strict-origin
Referrer-Policy: strict-origin-when-cross-origin
Referrer-Policy: unsafe-url

Explaining directives for Referrer-Policy Header


No-referrer

Implementing this configuration will exclude the Referer header, ensuring that sent requests do not contain any referrer information.


No-referrer-when-downgrade

The Referer header includes the origin, path, and query string when the protocol security level remains the same or improves (e.g., HTTP to HTTP, HTTP to HTTPS, HTTPS to HTTPS). However, it omits the Referer header for requests to less secure destinations (e.g., HTTPS to HTTP, HTTPS to file).


Origin

In this case, only the origin is sent in the Referer header. For instance, if the document is at https://example.com/page.html, the referrer sent will be https://example.com/.


Origin-when-cross-origin

The origin, path, and query string are included in same-origin requests to the same protocol level (e.g., HTTP to HTTP, HTTPS to HTTPS). Only the origin is sent for cross-origin requests and requests to less secure destinations (e.g., HTTPS to HTTP).


Same-origin

The Referer header includes the origin, path, and query string for same-origin requests. However, for cross-origin requests, the Referer header is not sent.


Strict-origin

In scenarios where the protocol security level remains the same (e.g., HTTPS to HTTPS), only the origin is sent in the Referer header. However, the Referer header is not included when accessing less secure destinations (e.g., HTTPS to HTTP).


Strict-origin-cross-when-origin

When making a same-origin request, the Referer header includes the origin, path, and query string. For cross-origin requests, the Referer header only includes the origin if the protocol security level remains unchanged (e.g., HTTPS to HTTPS). However, the Referer header is not sent to less secure destinations (e.g., HTTPS to HTTP).


Unsafe-URL

In all types of requests, regardless of security, the Referer header includes the origin, path, and query string.


Referrer-Policy: no-referrer, strict-origin-when-cross-origin

The "no-referrer" policy is utilized in the mentioned scenario only when the browser does not support the "strict-origin-when-cross-origin" policy.

The Referrer-Policy header empowers website owners to manage the level of referrer information shared in requests. To ensure consistent and secure behaviour across different browser versions, including this header in all requests is recommended, enforcing the desired referrer policy.

X-Content-Type-Options Security Header


The web server uses the X-Content-Type-Options header to specify that the declared Content-Type should be followed and not changed. It helps prevent MIME type sniffing by indicating that the specified MIME types are intentionally set and should not be overridden.

Including the X-Content-Type-Options response HTTP header serves as a critical security measure employed by servers to convey specific directives to web browsers concerning the treatment of MIME types specified within the Content-Type headers. It is a preventive measure against a potential security vulnerability known as MIME Confusion Attacks.


Microsoft introduced the X-Content-Type-Options header in IE 8 to prevent content sniffing and transform non-executable MIME types into executable ones. Other browsers have adopted this header, although their MIME sniffing algorithms may be less aggressive.


X-Content-Type-Options: nosniff

Explaining directives for X-Content-Type-Options Header


nosniff

The X-Content-Type-Options header blocks requests if the destination is a style or script file and the declared MIME type does not match the expected types (text/CSS for styles and JavaScript MIME types for scripts).


MIME Sniffing
MIME Sniffing

Implementing the X-Content-Type-Options header as part of a comprehensive security strategy provides a layer of protection for web applications, safeguarding them against the misuse or misinterpretation of MIME types by browsers.


X-Frame-Options Security Header


The X-Frame-Options HTTP response header controls whether a webpage can display within a frame or iframe. It ensures that the content is not embedded in other sites, helping prevent click-jacking attacks.


X-Frame-Options Security Header
X-Frame-Options Security Header

The X-Frame-Options HTTP response header serves as a security measure that allows websites to specify whether a browser should be permitted to render their pages within a frame or an iframe. By utilizing this header, sites can protect against clickjacking attacks by ensuring their content is not embedded into other websites without authorization.

X-Frame-Options: DENY
X-Frame-Options: SAMEORIGIN

Explaining directives for X-Frame-Options Header


  • DENY: The page is prevented from being displayed within a frame, regardless of the site's attempts to do so.

  • SAMEORIGIN: If the X-Frame-Options header is set to SAMEORIGIN, we can only display the webpages if all ancestor frames have the identical origin as the page itself.

  • ALLOW-FROM origin: This directive is obsolete and no longer supported in modern browsers. Using it will have the same effect as not including the header. Using the frame-ancestors directive in the Content-Security-Policy HTTP header is recommended instead.

Configuring Apache to send X-Frame-Options


To configure an Apache instance to send the "X-Frame-Options" header for all pages, we can add the following code to our site's configuration:


Header always sets X-Frame-Options "SAMEORIGIN"

This value ensures that the X-Frame-Options header is included in all pages' responses.

To configure Apache to set the X-Frame-Options header to DENY for all pages, add the following code to your site's configuration:

Header set X-Frame-Options "DENY"

This configuration ensures that the X-Frame-Options header is included in the response for all pages, instructing the browser not to display the page in an HTML frame under any circumstances.

Configuring Ngnix to send X-Frame-Options


To configure Nginx to send the X-Frame-Options header, you can add the following code to your Nginx configuration within the http, server, or location block:


add_header X-Frame-Options SAMEORIGIN always;

This configuration ensures that the X-Frame-Options header is included in the response, instructing the browser to (only) allow the page to be displayed in a frame if the origin matches the page's origin.


Configuring HAPProxy to send X-Frame-Options

To configure the HAProxy, so that it sends the X-Frame-Options header, add the following line to your HAProxy configuration within the front-end, listen, or backend section:


http-response set-header X-Frame-Options SAMEORIGIN

This will set the X-Frame-Options header to "SAMEORIGIN" in the HTTP response, indicating that the page should only be displayed in a frame if the origin matches the page's origin.


Furthermore, it's worth mentioning that the X-Frame-Options header is only applicable when the HTTP response includes interactive elements like links or buttons. If the response over HTTP is a redirect or if it returns JSON data for an API, the X-Frame-Options header does not provide any security benefits.


X-XSS-Protection Security Header


The X-XSS-Protection header, supported by Internet Explorer, Chrome, and Safari, helps prevent reflected cross-site scripting (XSS) attacks. However, it's generally unnecessary in modern browsers when a strong Content-Security-Policy is in place to disable unsafe inline JavaScript.

X-XSS-Protection Header
X-XSS-Protection Header

The HTTP X-XSS-Protection response header is a security feature in Internet Explorer, Chrome, and Safari browsers. It prevents loading web pages when identified as susceptible to reflected cross-site scripting (XSS) attacks.


X-XSS-Protection: 0
X-XSS-Protection: 1
X-XSS-Protection: 1; mode=block
X-XSS-Protection: 1; report=<reporting-uri>

X-XSS-Protection Header common values explained


0: Disables XSS-Filters.


1: The X-XSS-Protection header enables built-in XSS filtering in browsers. If a cross-site scripting attack is detected, the browser will try to sanitize the page by removing the unsafe parts.

1; mode=block: The X-XSS-Protection header enables XSS filtering in browsers. If an XSS attack is detected, the browser will prevent page rendering instead of sanitizing it.

1; report=<reporting-URI> (Chromium only): The X-XSS-Protection header enables XSS filtering in browsers. If an XSS attack is detected, the browser will sanitize the page and report the violation using the report-uri directive of the Content-Security-Policy (CSP).

While the X-XSS-Protection header protects users of older web browsers that may not yet support Content Security Policy (CSP), it is essential to note that in specific scenarios, this header can introduce XSS vulnerabilities into websites that would otherwise be considered safe. However, caution must be exercised, as relying solely on this header may not provide comprehensive protection, and there is a possibility of unintentionally introducing XSS vulnerabilities in some instances.

X-Permitted-Cross-Domain-Policies Security Header


The X-Permitted-Cross-Domain-Policies (XPCDP) header is a security-related HTTP response header that allows web administrators to define the policy for cross-domain communications on websites. It is used to control how web browsers handle cross-domain requests, such as loading resources or making requests between different domains.


The XPCDP header specifies a policy file location that defines permissions for cross-domain requests. The policy file is typically an XML document that outlines the rules and permissions for cross-domain communication. The header value can be set to one of the following options:

X-Permitted-Cross-Domain-Policies: none
  1. None: Indicates that no cross-domain access is allowed, and any attempts should be blocked.

  2. Master-only: Allows cross-domain access to the master policy file defined on the same domain.

  3. By-content-type: Allows cross-domain access to other domains based on the content type of the resource being requested.

  4. By-FTP filename: Allows cross-domain access to other domains based on the filename of the requested resource.

  5. All: When the header is set to "all," the website allows cross-domain interactions, including cross-origin requests and script inclusions.

By implementing the X-Permitted-Cross-Domain-Policies header with an appropriate policy file, web administrators can control and restrict how their website interacts with other domains, helping to mitigate potential security risks, such as cross-site scripting (XSS) attacks or cross-domain data leakage.

It's important to note that all web browsers do not widely support the XPCDP header, so its effectiveness may vary across different client environments. However, it provides an additional layer of security control over cross-domain communications for compatible browsers.


Cache-Control Header


The Cache-Control header is used in HTTP responses to specify caching directives for how the client (such as a web browser) and intermediate caches should handle and cache the response. It allows web administrators to control the caching behaviour of resources on the client side and improve website performance.

Cache-Control: public, max-age=3600

This header instructs the client and intermediary caching entities that the response can be cached publicly and served from the cache for up to 3600 seconds (1 hour) before revalidating The Cache-Control header can include various directives that define caching rules.


Cache-Control Header
Cache-Control Header

Explaining directives for Cache-Control Header

  • Public: Indicates that both the client and intermediary caches can cache the response.

  • Private: Specifies that the response is intended for a specific user and should not be cached by intermediary caches.

  • No-cache: Indicates that the response should only be served from the cache after first revalidating with the server.

  • No-store: Instructs the client and intermediary caches not to store a cached copy of the response under any circumstances.

  • Max-age=<seconds>: This value specifies the maximum amount of time in seconds that the response can be considered fresh and served from the cache without revalidating.

  • S-maxage=<seconds>: Similar to max-age, but specifically for shared or intermediary caches.

  • Must-revalidate: The client must revalidate a cached response with the server before using it again.

  • Proxy-revalidate: Similar to must-revalidate, but specifically for intermediary caches.

By properly configuring the Cache-Control header, web administrators can control how browsers and caches handle caching of resources. This can help improve website performance, reduce server load, and ensure users receive the most up-to-date content. However, if the Cache-Control header is misconfigured, it can open avenues for cache deception attacks.


X-Powered-By Header


The X-Powered-By header reveals the technologies the web server employs, exposing it to potential security threats. Attackers can leverage this information to identify specific technologies and potentially exploit known vulnerabilities associated with those technologies.


X-Powered-By Header
X-Powered-By Header

It is important to note that disclosing the server information through the X-Powered-By header can make it easier for attackers to target and compromise the server. By removing or modifying this header, web applications can reduce the surface area of attack and make it more challenging for potential attackers to identify and exploit vulnerabilities.


X-Powered-By: Nginx

To enhance the security posture of web applications, avoiding including sensitive information in the X-Powered-By header and following best practices for server configuration and hardening is recommended.

Public-Key-Pins(HPKP) header


The Public Key Pinning Extension (HPKP) was a security mechanism instructing a web client to associate a particular cryptographic public key with a particular web server, helping reduce the risk of man-in-the-middle (MITM) attacks that exploit forged certificates. However, this header has since been deprecated and is NOT RECOMMENDED.




In conclusion, implementing robust security headers is paramount for protecting web applications against a vast range of vulnerabilities, with a particular focus on mitigating cross-site scripting (XSS) attacks.


By leveraging these HTTP Security Headers like Content-Security-Policy (CSP), Strict-Transport-Security (HSTS) , and numerous other relevant security measures discussed above, we fortify our websites against malicious injection of client-side scripts. By prioritizing and properly configuring these headers, we safeguard our users' sensitive information and ensure a secure browsing experience.


References:

 

Register for instructor-led online courses today!


Check out our free programs!


Contact us with your custom pen testing needs at: info@darkrelay.com or WhatsApp.

3,270 views

Recent Posts

See All

Comments


bottom of page