HTTP Response headers are typically used to transfer security policies to the browser. Bypassing security policies back to the client, hosts can ensure a much safer browsing experience for their visitors and also reduce the risk for everyone involved.
Additional Headers
The first step in hardening your HTTP response headers is looking at the additional headers you can utilize to make your site more secure. These headers give the browser more information about how you want it to behave with regards to your site.
Content Security Policy (CSP)
The CSP header allows you to define a whitelist of approved sources of content for your site. By restricting the assets that a browser can load for your site, like js and CSS, CSP can act as an effective countermeasure to XSS attacks. Let’s take a look at:
- Security Headers – X-Frame-Options
- Security Headers – X-Content-Type: nosniff
- Security Headers – X-XSS-Protection
Security Headers – X-Frame-Options
The X-Frame-Options header (RFC), or XFO header, protect your visitors against clickjacking attacks. An attacker can load up an iframe on their site and set your site as the source, it’s quite easy:
.
Using some crafty CSS they can hide your site in the background and create some genuine looking overlays.
When your visitors click on what they think is a harmless link, they’re actually clicking on links on your website in the background. That might not seem so bad until we realize that the browser will execute those requests in the context of the user, which could include them being logged in and authenticated to your site!
Valid values include DENY meaning your site can’t be framed, SAMEORIGIN which allows you to frame your own site or ALLOW-FROM https://example.com/ which lets you specify sites that are permitted to frame your own site. In order to improve the security of your site against ClickJacking, it is recommended that you add the following header to your site:
X-Frame-Options: SAMEORIGIN
It is supported by all browsers and prevents an attacker from iframing the content of your site into others.
This article from Mozilla explains it in detail: On the X-Frame-Options Security Header
Enabling this header
You can enable it by modifying your Apache settings or your .htaccess file, and adding the following line to it:
Header always append X-Frame-Options SAMEORIGIN
Security Headers – X-Content-Type: nosniff
Nice and easy to configure, this header only has one valid value, nosniff. It prevents Google Chrome and Internet Explorer from trying to mime-sniff the content-type of a response away from the one being declared by the server. It reduces exposure to drive-by downloads and the risks of user-uploaded content that, with clever naming, could be treated as a different content-type, like an executable.
In order to improve the security of your site (and your users) against some types of drive-by-downloads, it is recommended that you add the following header to your site:
X-Content-Type-Options: nosniff
It is supported by IE (Internet Explorer) and Chrome and prevents them from MIME-sniffing a response from the declared content-type.
This article from Microsoft explains it: Reducing MIME type security risks
Enabling this header
You can enable it by modifying your Apache settings or your .htaccess file, and adding the following line to it:
Header set X-Content-Type-Options nosniff
Security Headers – X-XSS-Protection
This header is used to configure the built-in reflective XSS protection found in Internet Explorer, Chrome and Safari (Webkit). Valid settings for the header are 0, which disables the protection, 1 which enables the protection and 1; mode=block which tells the browser to block the response if it detects an attack rather than sanitizing the script.
In order to improve the security of your site against some types of XSS (cross-site scripting) attacks, it is recommended that you add the following header to your site:
X-XSS-Protection: 1; mode=block
It is supported by IE (Internet Explorer) and Chrome. You can enable it by modifying your Apache settings or your .htaccess file, and adding the following line to it:
Header set X-XSS-Protection "1; mode=block"
How to view HTTP headers in Google Chrome?
To view the request or response HTTP headers in Google Chrome, take the following steps :
- In Chrome, visit a URL, right-click, select Inspect to open the developer tools.
- Select the Network tab.
- Reload the page, select any HTTP request on the left panel, and the HTTP headers will be displayed on the right panel.
That’s all – as always you can comment below.
Leave a Reply to Justyna Cancel reply