{"id":6174,"date":"2018-04-02T20:57:44","date_gmt":"2018-04-03T00:57:44","guid":{"rendered":"https:\/\/www.thesslstore.com\/blog\/?p=6174"},"modified":"2021-06-10T16:26:04","modified_gmt":"2021-06-10T20:26:04","slug":"http-security-headers","status":"publish","type":"post","link":"https:\/\/www.thesslstore.com\/blog\/http-security-headers\/","title":{"rendered":"HTTP Security Headers: 5 Headers You Must Implement on Your Site"},"content":{"rendered":"<h2>Everything you need to know about HTTP security headers<\/h2>\n<p>\u201cSecuring a website is like riding a bicycle. To keep your balance, you must keep moving.\u201d This is what Albert Einstein\u2019s famous bicycle quote would look like had he been a cybersecurity professional. Fortunately (or not), he wasn\u2019t. Keeping the bicycle analogy going though, you can&#8217;t stop pedaling. The moment you do, the bicycle starts slowing down and you eventually just topple over. You don\u2019t want that, do you?<\/p>\n<p>But when it comes to riding a bicycle, not all pedal strokes are the same. Some are smooth; some are hard, some make you go shorter distances while some take you longer. Today, let&#8217;s talk about the ones that will keep your website security bicycle moving for at a brisk pace. Let\u2019s talk about HTTP security headers.<\/p>\n<p>HTTP security headers are a fundamental part of website security. Upon implementation, they protect you against the types of attacks that your site is most likely to come across. These headers protect against XSS, code injection, clickjacking, etc.<\/p>\n<p>Let\u2019s hash out HTTP security headers.<span id=\"newline\"><\/span><\/p>\n<span style=\"--tl-form-height-m:423.125px;--tl-form-height-t:415.573px;--tl-form-height-d:415.573px;\" class=\"tl-placeholder-f-type-shortcode_14542 tl-preload-form\"><span><\/span><\/span>\n<h1>What are HTTP Security Headers?<\/h1>\n<p>When a user visits a site through his\/her browser, the server responds with HTTP Response Headers. These headers tell the browser how to behave during communication with the site. These headers mainly comprise of metadata.<\/p>\n<p>You can use these headers to outline communication and improve web security. Let&#8217;s have a look at five security headers that will give your site some much-needed protection.<\/p>\n<h2>1.\u00a0\u00a0\u00a0\u00a0 HTTP Strict Transport Security (HSTS)<\/h2>\n<p>Let\u2019s say you have a website named example.com and you installed an SSL\/TLS certificate and migrated from HTTP to HTTPS. This is good, right? That was rhetorical. It definitely is. But this isn&#8217;t where the work stops. What if your website is still available over HTTP? It would be utterly pointless, right? Many website admins migrate to HTTPS and then forget about it without realizing this. This is where <a href=\"https:\/\/www.thesslstore.com\/blog\/what-is-hypertext-strict-transport-security-hsts\/\">HSTS<\/a> enters the picture.<\/p>\n<p>If a site is equipped with HTTPS, the server forces the browser to communicate over secure HTTPS. This way, the possibility of an HTTP connection is eliminated entirely.<\/p>\n<p>Great, isn\u2019t it?<\/p>\n<p>Syntax:<\/p>\n<pre>Strict-Transport-Security: max-age=&lt;expire-time&gt;\n\nStrict-Transport-Security: max-age=&lt;expire-time&gt;; includeSubDomains\n\nStrict-Transport-Security: max-age=&lt;expire-time&gt;; preload<\/pre>\n<h2>2.\u00a0\u00a0\u00a0\u00a0 Content Security Policy (CSP)<\/h2>\n<p>The <a href=\"https:\/\/www.thesslstore.com\/blog\/doh-firefox-engages-more-secure-dns-over-https-protocol-heres-what-that-means-for-you\/\">HTTP Content Security<\/a> Policy response header gives website admins a sense of control by giving them the authority to restrict the resources a user is allowed to load within site. In other words, you can whitelist your site\u2019s content sources.<\/p>\n<p>Content Security Policy protects against Cross Site Scripting and other code injection attacks. Although it doesn&#8217;t eliminate their possibility entirely, it can sure minimize the damage. Compatibility isn&#8217;t a problem as most of the major browsers support CSP.<\/p>\n<p>Syntax:<\/p>\n<pre>Content-Security-Policy: &lt;policy-directive&gt;; &lt;policy-directive&gt;<\/pre>\n<h2>3.\u00a0\u00a0\u00a0\u00a0 Cross Site Scripting Protection (X-XSS)<\/h2>\n<p>As the name suggests, X-XSS header protects against Cross-Site Scripting attacks. XSS Filter is enabled in Chrome, IE, and Safari by default. This filter doesn&#8217;t let the page load when it detects a cross-site scripting attack.<\/p>\n<p>Syntax:<\/p>\n<pre>X-XSS-Protection: 0\n\nX-XSS-Protection: 1\n\nX-XSS-Protection: 1; mode=block\n\nX-XSS-Protection: 1; report=&lt;reporting-uri&gt;<\/pre>\n<h2>4.\u00a0\u00a0\u00a0\u00a0 X-Frame-Options<\/h2>\n<p>In the Orkut era, a spoofing technique called \u2018Clickjacking\u2019 was pretty popular. It still is. In this technique, an attacker fools a user into clicking something that isn\u2019t there. For example, a user might think that he\u2019s on the official Orkut website, but something else is running in the background. A user may reveal his\/her confidential information in the process.<\/p>\n<p>X-Frame-Options help guard against these kinds of attacks. This is done by disabling the iframes present on the site. In other words, it doesn\u2019t let others embed your content.<\/p>\n<p>Syntax:<\/p>\n<pre>X-Frame-Options: DENY\n\nX-Frame-Options: SAMEORIGIN\n\nX-Frame-Options: ALLOW-FROM https:\/\/example.com\/<\/pre>\n<h2>5.\u00a0\u00a0\u00a0\u00a0 X-Content-Type-Options<\/h2>\n<p>The X-Content-Type header offers a countermeasure against MIME sniffing. It instructs the browser to follow the MIME types indicated in the header. Used as a feature to discover an asset&#8217;s file format, MIME sniffing can also be used to execute cross-site scripting attacks.<\/p>\n<pre>Syntax:\n\nX-Content-Type-Options: nosniff<\/pre>\n<p>\u00a0<\/p>\n\n<span style=\"--tl-form-height-m:861.156px;--tl-form-height-t:899.625px;--tl-form-height-d:899.625px;\" class=\"tl-placeholder-f-type-shortcode_12653 tl-preload-form\"><span><\/span><\/span>\n","protected":false},"excerpt":{"rendered":"<p>Everything you need to know about HTTP security headers \u201cSecuring a website is like riding a bicycle. To keep your balance, you must keep moving.\u201d This is what Albert Einstein\u2019s&#8230;<\/p>\n","protected":false},"author":10,"featured_media":6175,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":"","tve_updated_post":"","tve_custom_css":"","tve_user_custom_css":"","tve_globals":{},"tcb2_ready":0,"tcb_editor_enabled":0,"tve_landing_page":"","_tve_header":"","_tve_footer":""},"categories":[16],"tags":[6784],"class_list":["post-6174","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-hashing-out-cyber-security","tag-http-security-headers","post-with-tags"],"views":119848,"jetpack_featured_media_url":"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/04\/bigstock-Programming-Code-Abstract-Scre-184343398.jpg","_links":{"self":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/6174","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/users\/10"}],"replies":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/comments?post=6174"}],"version-history":[{"count":0,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/6174\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media\/6175"}],"wp:attachment":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media?parent=6174"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/categories?post=6174"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/tags?post=6174"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}