Tag: HTTP

How to improve your website security with HTTP header instructions?

The HTTP protocol provides various header instructions allowing simple improvement of your website security. As usual, make sure to run full tests on your web site as some options may result in some features stop working.

Available options

Content Security Policy

The HTTP Content-Security-Policy response header allows web site administrators to control resources the user agent is allowed to load for a given page. With a few exceptions, policies mostly involve specifying server origins and script endpoints. This helps guard against cross-site scripting attacks (XSS).

Content-Security-Policy: <policy-directive>; <policy-directive>

More information about CSP is to be found on the Mozilla Developpers website at: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy

Strict Transport Security

If your website runs in HTTPS, adding STS ensures that all traffic is sent through HTTPS.

Strict-Transport-Security "max-age=631138519; includeSubDomains"

The Preload option allows for inclusion in a browser based preload list but requires all subdomains to be served with HTTS enabled. To submit your domain for inclusion on this list, you may follow this link.

X Frame Options

Disallow your page to be embedded within a <frame>, <iframe> or <object>.

X-Frame-Options DENY

X Content Type Options

Disable MIME type sniffing, which can e.g. make IE execute an innocent looking .img URL as a javascript.

X-Content-Type-Options nosniff

X XSS Protection

X-XSS-Protection is a HTTP header understood by Internet Explorer 8 (and newer versions). This header lets domains toggle on and off the “XSS Filter” of IE8, which prevents some categories of XSS attacks.

X-XSS-Protection: 1; mode=block

Implementation

Implementation varies depending on your website’s server.

Apache

For an Apache web server implementation, the Set header instruction is to be used in the .htaccess

nginx

For an nginx web server implementation, the add_header instruction is to be used.

IIS

For an IIS web server implementation, the instructions are to be added in the <customHeaders> section.

PHP

For a web server agnostic implementation, the PHP header instruction can also be used.

HTML

For a web server agnostic implementation, the HTML http-equiv meta tag can also be used.

WordPress

For a wordpress implementation, the PHP header instruction can be used. I’ve recently written a WordPress security plug-in to handle this easily.

Reporting

Make sure to run the Page, Header & Cookie Security Analyser. securityheaders.io is a useful resource for evaluating your web site’s security.