In this post article I will give you a short description of the question “which HTTP headers to use to increase our page security“. But first I want to make a clear clarification for those who did not know what is the HTTP headers is.
In Hypertext Transfer Protocol (HTTP) the HTTP headers are instructions that can be send by the server and the client’s browser, so they can exchange specific, standardized information regarding the application loading and rendering. In the part of the security for one web application, there is a few HTTP headers that you should check and apply if not present in the server’s response, however consider that adding this headers will not 100% protect your site.
A content security policy (CSP) response headers, is sending instructions to the client’s browser to prevent from Cross Site Scripting (XSS) attacks and partially from data injection attacks. The preferable header should looks like this:
Content-Security-Policy "default-src 'self';"
Strict-Transport-Security Header (HSTS)
The Strict-Transport-Security HTTP Header is the instructions that can be used to prevent the cases of the man-in-the-middle attacks, where the attacker can downgrading the HTTPS connection of the client, to an HTTP connection which then allows him to take advantage of insecure redirects. The HTTP Strict Transport Security header should looks like this:
The X-Frame-Options response security HTTP header, will prevent click-jacking attacks. In other words, it will not allow your page to be rendered within an iframe of another page. X-Frame-Options should looks like this:
This can gives you the control of what information should bi send, if clients of your site will be redirected to another website. Normally, if the client is sent to another site, it will land with referrer information like what is the full URL of the page that he was sent from. In some cases this URL could include sensitive information, so it’s important to setup the Referrer-Policy to the following:
Please, keep in mind that setuping the headers are not always straightforward and can be different in the different web servers, also for your application. If you are not sure which one to use, you can contact me in About section on this page.