Protect Your Website and Users with HTTP security headers

What are HTTP security headers?

HTTP security headers are a set of headers that can be added to the HTTP responses sent by a web server to a client (usually a web browser). These headers provide an additional layer of security for both the website and its visitors.

The most common and important HTTP security headers are:

• Strict-Transport-Security (HSTS): enforces secure connections (HTTPS) for a website.
• Content-Security-Policy (CSP): defines which sources of content are allowed to be executed within a web page.
• Referrer-Policy: controls how much referrer information is sent with requests.
• Feature-Policy: allows you to control which browser features are allowed on your website.
• X-Content-Type-Options: specifies the allowed MIME types for a page.
• X-Frame-Options: specifies whether a page can be framed by another page.
• Permissions-Policy: control which browser features and APIs can be used on your website.

Read on to learn more details about what each security headers does.

HTTP Strict-Transport-Security (HSTS)

What is Strict-Transport-Security (HSTS)?

Strict-Transport-Security (HSTS) is a security feature implemented in web browsers that helps protect websites against protocol downgrade attacks and cookie hijacking. It’s an HTTP header that informs the browser to only connect to your website using HTTPS (SSL/TLS) for a specified period of time.

Why do I need HSTS on my website?

You need HSTS on your website for several reasons:

1. Prevent HTTPS stripping: An attacker can intercept the initial HTTP request and redirect the user to a fake website, or strip the HTTPS and serve the website over HTTP. HSTS prevents this by instructing the browser to always use HTTPS.
2. Protect against cookie hijacking: If an attacker can intercept cookies sent over HTTP, they can use them to impersonate the user. HSTS ensures that cookies are only sent over secure connections.
3. Prevent mixed content vulnerabilities: When a website serves content over both HTTP and HTTPS, an attacker can inject malicious content into the HTTP stream. HSTS ensures that all content is served over HTTPS.
4. Improve security for users: By enforcing HTTPS, you protect your users’ sensitive information, such as login credentials, credit card numbers, and personal data.

Content-Security-Policy

What is Content-Security-Policy (CSP)?

Content-Security-Policy (CSP) is a security feature implemented in web browsers that helps protect websites against cross-site scripting (XSS) attacks, clickjacking, and other types of malicious content injection. It’s an HTTP header that defines which sources of content are allowed to be executed within a web page.

Why do I need CSP on my website?

You need CSP on your website for several reasons:

1. Prevent cross-site scripting (XSS) attacks: XSS attacks occur when an attacker injects malicious JavaScript code into your website. CSP helps prevent this by specifying which sources of JavaScript are allowed to run.
2. Protect against clickjacking: Clickjacking occurs when an attacker embeds your website in an iframe and tricks users into clicking on malicious content. CSP can prevent this by specifying which sources of content are allowed to be framed.
3. Prevent malicious content injection: CSP can prevent attackers from injecting malicious content, such as JavaScript, CSS, or images, into your website.
4. Improve security for users: By enforcing a strict content security policy, you protect your users from various types of attacks that can compromise their sensitive information.

Referrer-Policy

What is Referrer-Policy?

Referrer-Policy is a security feature implemented in web browsers that helps control the amount of referrer information sent with each request. It’s an HTTP header that specifies how much referrer information should be included in the Referrer header of a request.

Why do I need Referrer-Policy on my website?

You need Referrer-Policy on your website for several reasons:

1. Protect user privacy: The Referrer header can contain sensitive information about the user’s browsing history, such as the URL of the previous page. Referrer-Policy helps control how much of this information is shared.
2. Prevent information leakage: By controlling the amount of referrer information sent, you can prevent sensitive information from being leaked to third-party websites or attackers.
3. Improve security: By limiting the amount of referrer information sent, you can reduce the attack surface of your website and prevent malicious actors from exploiting vulnerabilities.
4. Enhance user experience: By specifying a Referrer-Policy, you can provide a better user experience by controlling how much information is shared about the user’s browsing history.

X-Content-Type-Options

What is X-Content-Type-Options?

X-Content-Type-Options is a security feature implemented in web browsers that helps prevent MIME-sniffing attacks by specifying the expected MIME type of response. It’s an HTTP header that instructs the browser to respect the Content-Type header and not attempt to sniff the MIME type of the response.

Why do I need X-Content-Type-Options on my website?

You need X-Content-Type-Options on your website for several reasons:

1. Prevent MIME-sniffing attacks: MIME-sniffing occurs when a browser attempts to determine the MIME type of response by analyzing its contents. X-Content-Type-Options helps prevent this by specifying the expected MIME type.
2. Protect against malicious content injection: MIME-sniffing can lead to malicious content injection, such as JavaScript or HTML, into your website. X-Content-Type-Options can prevent this by ensuring the browser respects the Content-Type header.
3. Prevent cross-site scripting (XSS) attacks: MIME-sniffing can also lead to XSS attacks, where an attacker injects malicious JavaScript code into your website. X-Content-Type-Options can help prevent this by ensuring the browser respects the Content-Type header.
4. Improve security for users: By specifying the expected MIME type, you can protect your users from various types of attacks that can compromise their sensitive information.

X-Frame-Options

What is X-Frame-Options?

X-Frame-Options is a security feature implemented in web browsers that helps prevent clickjacking attacks by controlling whether a webpage can be framed by another webpage. It’s an HTTP header that specifies whether a webpage can be displayed within a frame or iframe.

Why do I need X-Frame-Options on my website?

You need X-Frame-Options on your website for several reasons:

1. Prevent clickjacking attacks: Clickjacking occurs when an attacker embeds your website in an iframe and tricks users into clicking on malicious content. X-Frame-Options helps prevent this by specifying whether your website can be framed.
2. Protect against phishing attacks: Phishing attacks often involve embedding a legitimate website in an iframe to make the phishing site appear more authentic. X-Frame-Options can prevent this by blocking the framing of your website.
3. Prevent malicious content injection: X-Frame-Options can prevent attackers from injecting malicious content, such as JavaScript or HTML, into your website by blocking the framing of your website.
4. Improve security for users: By controlling whether your website can be framed, you can protect your users from various types of attacks that can compromise their sensitive information.

Permissions-Policy

What is Permissions-Policy?

Permissions-Policy is a security feature implemented in web browsers that allows you to control which browser features and APIs can be used on your website. It’s an HTTP header that defines a set of policies that restrict or allow specific browser features, such as geolocation, camera access, or microphone access.

Why do I need Permissions-Policy on my website?

You need Permissions-Policy on your website for several reasons:

1. Prevent unauthorized access to sensitive features: By default, browsers allow websites to access various features, such as geolocation or camera access. Permissions-Policy helps you restrict access to these features and prevent unauthorized use.
2. Protect user privacy: By controlling which features are allowed on your website, you can protect user privacy and prevent sensitive information from being accessed without consent.
3. Improve security: By restricting access to sensitive features, you can reduce the attack surface of your website and prevent malicious scripts from exploiting vulnerabilities.
4. Enhance user experience: By specifying which features are allowed or restricted, you can provide a better user experience and ensure that users are aware of the features being used on your website.

How can I implement HTTP security headers on my website?

HTTP security headers can be implemented on your website in several ways:

• Set the headers in your web server’s configuration files (nginx.conf on NGINX or .htaccess on Apache).
• Use a plugin (for WordPress) or a code snippet to add the headers.
• Use a CDN such as Cloudflare to set the security headers.

How can I test the HTTP security headers on my website?

To check the which security headers are set on your website, the easiest way it to go to SecurityHeaders.com and run a test. If all the necessary headers are configured on your website, you will get score of ‘A’ and a report summary that looks like the below:

If you need help adding HTTP security headers to your website

HTTP security headers can be tricky to set up, especially the Content Security Policy (CSP). If you need help with this, get in touch now and we will find a solution that works for you.