How to improve your website security with HTTP header instructions?

The HTTP protocol provides various header instructions allowing simple improvement of your website security. As usual, make sure to run full tests on your web site as some options may result in some features stop working.

Available options

Content Security Policy

The HTTP Content-Security-Policy response header allows web site administrators to control resources the user agent is allowed to load for a given page. With a few exceptions, policies mostly involve specifying server origins and script endpoints. This helps guard against cross-site scripting attacks (XSS).

Content-Security-Policy: <policy-directive>; <policy-directive>

More information about CSP is to be found on the Mozilla Developpers website at: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy

Strict Transport Security

If your website runs in HTTPS, adding STS ensures that all traffic is sent through HTTPS.

Strict-Transport-Security "max-age=631138519; includeSubDomains"

The Preload option allows for inclusion in a browser based preload list but requires all subdomains to be served with HTTS enabled. To submit your domain for inclusion on this list, you may follow this link.

X Frame Options

Disallow your page to be embedded within a <frame>, <iframe> or <object>.

X-Frame-Options DENY

X Content Type Options

Disable MIME type sniffing, which can e.g. make IE execute an innocent looking .img URL as a javascript.

X-Content-Type-Options nosniff

X XSS Protection

X-XSS-Protection is a HTTP header understood by Internet Explorer 8 (and newer versions). This header lets domains toggle on and off the “XSS Filter” of IE8, which prevents some categories of XSS attacks.

X-XSS-Protection: 1; mode=block

Implementation

Implementation varies depending on your website’s server.

Apache

For an Apache web server implementation, the Set header instruction is to be used in the .htaccess

nginx

For an nginx web server implementation, the add_header instruction is to be used.

IIS

For an IIS web server implementation, the instructions are to be added in the <customHeaders> section.

PHP

For a web server agnostic implementation, the PHP header instruction can also be used.

HTML

For a web server agnostic implementation, the HTML http-equiv meta tag can also be used.

WordPress

For a wordpress implementation, the PHP header instruction can be used. I’ve recently written a WordPress security plug-in to handle this easily.

Reporting

Make sure to run the Page, Header & Cookie Security Analyser. securityheaders.io is a useful resource for evaluating your web site’s security.

My favorite WordPress plug-ins

wordpress-logo-notext-rgb

WordPress has become a de facto standard when it comes to creating a web site. A web site, not only a blog. Part of this wide use is the ability to customize the WordPress platform down to your very specific needs. Numerous plug-ins are available to help in this task.

We all have our subjective or objective favorites. Here are mine:

Continue reading “My favorite WordPress plug-ins”

Improving PHP performance

PHPUse of CMS in now widely spread and we do not need to dig into low level coding to write web pages any more. This said, we still some times have to be able to tweak performance when it comes to some specific developments. With attention to minor details, performance of PHP scripts can be optimized and help to match Google’s attention to speed. Numerous articles deal with improving performance of PHP scripts, here is a collection of some easy to implement tweaks. Continue reading “Improving PHP performance”

Centrance’s Mixerface in crowdsourcing mode

Crowdsourcing is everywhere. Now, it’s Centrance’s turn. The manufacturer of professional audio equipment launches a crowdsourcing project for its future Mixerface, a compact two channel USB audio interface.

Centrance Mixerface

The Centrance Mixerface is a 24-bit/192kHz professional recording USB interface for Mac, PC and iDevices. It features two discrete, studio-grade mic preamps with 48V Phantom, Pan/Mixer/Monitor and a rechargeable battery.

Continue reading “Centrance’s Mixerface in crowdsourcing mode”

IBMLabs predicts holograms in the next five years

With its fifth edition of its five years predictions, IBMLabs foresees:

  • generalization of data collection by the dissemination of capters for a real time image of the environment,
  • 3-D hologrammes for our telephone and Internet communications,
  • ten times superior battery life thanks to ambiant air’s oxygen charging,
  • recycling of the heat dissipated by data centers,
  • real time information (traffic, accidents, parking, alternatives, etc.) for the optimization of commutes.

See you in 2015.

Source: the IBMLabs channel on YouTube.

Why I love Fring

While I have not tested Fring yet, I have no suitable WiFi phone but it should not last, I already love Fring !!!

Having a one-stop solution to my mobile phone, my landline-over-ADSL-with-low-rates-phone, my Skype phone nightmare is more than a dream.

In a couple of words, Fring is a piece of software designed to run on your mobile phone and that routes the transmission to the media available: standard mobile, mobile data (3G), WiFi and so on with regards to the dialed number in order to optimize the cost of the communication. Fring also support various IP based solutions such as Skype, MSN Messenger, ICQ, Google Talk and SIP. For sure mobile phone operators won’t like that. Running on one single device means that all my contacts’ information does not need to be replicated on various devices, what a relief!

It seems to like Symbian OS as numerous Nokia phones appear to be supported by now. Windows Mobile based devices is also an option but it crashed on my HP IPAQ nx2495… No doubt an iPhone version of Fring will come with time.

No business model is claimed by now. Advertising based operation or big player buyout?