The HTTP protocol provides various header instructions allowing simple improvement of your website security. As usual, make sure to run full tests on your web site as some options may result in some features stop working.
Available options
Content Security Policy
The HTTP Content-Security-Policy response header allows web site administrators to control resources the user agent is allowed to load for a given page. With a few exceptions, policies mostly involve specifying server origins and script endpoints. This helps guard against cross-site scripting attacks (XSS).
Content-Security-Policy: <policy-directive>; <policy-directive>
More information about CSP is to be found on the Mozilla Developpers website at: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
Strict Transport Security
If your website runs in HTTPS, adding HSTS ensures that all traffic is sent through HTTPS.
Strict-Transport-Security "max-age=631138519; includeSubDomains"
The Preload
option allows for inclusion in a browser based preload list but requires all subdomains to be served with HTTPS enabled. To submit your domain for inclusion on this list, you may follow this link.
X Frame Options
Disallow your page to be embedded within a <frame>
, <iframe>
or <object>
.
X-Frame-Options DENY
X Content Type Options
Disable MIME type sniffing, which can e.g. make IE execute an innocent looking .img
URL as a javascript.
X-Content-Type-Options nosniff
X XSS Protection
X-XSS-Protection is a HTTP header understood by Internet Explorer 8 (and newer versions). This header lets domains toggle on and off the “XSS Filter” of IE8, which prevents some categories of XSS attacks.
X-XSS-Protection: 1; mode=block
Implementation
Implementation varies depending on your website’s server.
Apache
For an Apache web server implementation, the Set header
instruction is to be used in the .htaccess
file.
nginx
For an nginx web server implementation, the add_header
instruction is to be used.
IIS
For an IIS web server implementation, the instructions are to be added in the <customHeaders>
section.
PHP
For a web server agnostic implementation, the PHP header
instruction can also be used.
HTML
For a web server agnostic implementation, the HTML http-equiv
meta tag can also be used.
WordPress
For a WordPress implementation, the PHP header
instruction can be used. I’ve recently written a WordPress security plug-in to handle this easily.
Reporting
Make sure to run the Page, Header & Cookie Security Analyser. securityheaders.io is a useful resource for evaluating your web site’s security.