Security Headers
What are headers?
HTTP headers are key and value pairs that are sent in the request and response messages within HTTP Headers. These have many uses such as telling the browser the type of content that's in the body of the message, headers can also increase the security and privacy for your website visitors.
Security Headers
-
Strict-Transport-Security: This enforces the User-Agent to use HTTPS.
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Mozilla Docs -
X-Frame-Options: Tells the browser if you want to allow your site to be framed or not. This can help protect against attacks such as clickjacking.
X-Frame-Options: SAMEORIGIN
Mozilla Docs -
X-Content-Type-Options: Stops the browser from trying to MIME-sniff the content type and stick with the declared Content-Type header.
X-Content-Type-Options: nosniff
Mozilla Docs -
Referrer-Policy: Allows the site to control how much info the browser includes when navigating to a new site.
Referrer-Policy: no-referrer
Mozilla Docs -
Permissions-Policy: Allows the site to control which features and API's can be used within the browser.
Mozilla Docs -
X-XSS-Protection: Used to configure the XSS Auditor in older browsers. Content-Security-Policy had now replaced this.
X-XSS-Protection: 1; mode=block
Mozilla Docs -
Content-Security-Policy: This is an effective measure against XSS attacks. It works by listing approved domains for content to be loaded from, and will preventing against malicious content be loaded.
Content-Security-Policy: default-src https:
Mozilla Docs -
expect-ct: Allows the site to determine it's ready for the upcoming Chrome requirements of Certificate Transparency.
expect-ct: max-age=86400, enforce
Mozilla Docs
More information can be found at https://securityheaders.com along with a Header Scanner.
Cover Image Credit: https://unsplash.com/@fantasyflip
