HTTP security headers
Last updated
Was this helpful?
Last updated
Was this helpful?
HTTP security headers are used to inform a client (browser) how to behave when handling a website's content. These headers are important in preventing exploitation of vulnerabilities such as XSS, Man-in-the-Middle, , etc.
Lets a web site tell browsers that it should only be accessed using HTTPS, instead of using HTTP. Prevents Man-in-the-Middle attacks.
The max-age directive defines the time, in seconds, that the browser should remember that a site is only to be accessed using HTTPS.
The optional includeSubDomains directive defines if the rule applies to all of the site's subdomains as well
The optional preload directive ensures that a website will be accessed using HTTPS even during the first visit of the website. Indeed, websites require a user-agent to first visit them to understand that it must use STS. To correct this behavior, browsers have a list of websites that has to be accessed using HTTPS from the initial request.
For more information: .
Header now (use the with the frame-ancestors directive set to none instead). This header indicated whether or not a browser should be allowed to render a page in a , , or . Prevents .
DENY: the page cannot be displayed in a frame
SAMEORIGIN: can only be displayed in a frame on the same origin as the page itself (which depends on how browsers vendors interpret this)
ALLOW-FROM uri: obsolete directive. No longer works in modern browsers.
The unsafe-eval� directive allows unsafe evaluation code such as eval() for JavaScript.�
The unsafe-inline� directive allows execution of third-party JavaScript inline.
X-XSS-Protection should not be used, or set to 0.�
Presence and configuration of the security headers mentioned above should be checked. This can be done by inspecting HTTP responses with a proxy, with a browser, with specific tooling or by manually doing the request and analyzing the response.
Alternatively, headers can be inspected manually.
XCTO is used by the server to indicate that the advertised in the headers should be followed and not be changed. It prevents attacks.
The nosniff directive makes the browser block a request if the request destination is of type style and the MIME type is not text/css, or of type script and the MIME type is not a .��
Allows a server to indicate any (domain, scheme, or port) other than its own from which a browser should permit loading resources from.
Restrict how the browser accesses resources. Prevents XSS, XS-Leaks,
The default-src directive acts as a for the other CSP fetch directives. If not present, CSP will permit loading resources of any origins
The frame-ancestors directive specifies valid parents that may embed a page using <frame>, <iframe>, <object>, <embed>, or <applet>. If its value is set to none, it obsoletes the header.
Header now , only old browsers may use it. More harm can be done using X-XSS-Protection. Other methods can be used to prevent XSS attacks (CSP, escaping, sanitization...).
The (Python) script and can also be used for that purpose.
In addition to that, scanner such as (Python) and (online) can quickly help inspect the state of CORS and CSP and identity potential dangerous configurations.