Implement HTTP Security Headers

Website Development Additional Website Functionality

Sunday, 24 October 2021

HTTP Security Headers are HTTP response headers that define if security precautions should be activated or deactivated on a web browser.

HTTP security headers are a fundamental part of website security protecting your website against attacks like clickjacking, code injection, MIME types, and XSS, etc.

By simply adding the following headers you can improve your website security dramatically;

Content Security Policy header (CSP)
The HTTP Content Security Policy response header restricts the resources allowed to load within a website efectively whitelisting content sources on your website.

Cross Site Scripting Protection header (X-XSS)
The X-XSS header protects against Cross-Site Scripting attacks preventing a page from loading when it detects a cross-site scripting attack.

HTTP Strict Transport Security header (HSTS)
Many website owners have installed an SSL/TLS certificate and migrated from HTTP to HTTPS which is great but there's an additional step that is often overlooked.

Many websites that are migrated to HTTPS are still available over HTTP which defeats the object.

This is where HSTS enters the equation, if a site is equipped with HTTPS, the server forces the browser to communicate over secure HTTPS entirely eliminating the possibility of an HTTP connection.

X-Content-Type-Options header
The X-Content-Type header offers a countermeasure against MIME sniffing by instructing the browser to follow the MIME types indicated in the header.

X-Frame-Options header
The X-Frame-Options header protects against
Clickjacking which is an an attack that tricks a user into clicking an invisible webpage element or is disguised as another element. This can cause users unknowingly to download malware, visit malicious web pages, reveal credentials and sensitive information, transfer money, purchase products etc.

Typically an invisible page or HTML element is present inside an iframe, on top of the page the user is viewing. The user believes they are clicking the visible page but in fact they are clicking an invisible element in the additional invisible page on top of it.

The X-Frame-Options response header is passed as part of the HTTP response of a web page, indicating whether or not a browser should be allowed to render a page inside an Iframe enabling you to prevent others from embedding your content.

From the results below you will see that this site still achieves an A rating without a Content Security Policy which we are in the process of implementing, we achieve A+ ratings for many of our clients.

Visit the Security Headers Website and test your site for free.

You can also add your website to Chrome's HSTS preload list which is a list of sites that are hardcoded into Chrome as being HTTPS only. Most major browsers also have HSTS preload lists based on the Chrome list. Visit the HSTS preload submission site for details.

If you require assistance implementing security headers on your website submit a ticket on our helpdesk and we will get back to you. SUBMIT TICKET

Tags: