It happened again. New PCI scan results came in and now you have to add some other HTTP header to your server responses. If you’re like me, it’s difficult to remember what each header does and how to use it. So here’s a brief summary of some common security-related HTTP headers.
X-Frame-Options
This header tells the browser whether this page is allowed to be embedded in a frame within another page. SAMEORIGIN
means this page may be embedded within a page on the same site.
X-Frame-Options: DENY; X-Frame-Options: SAMEORIGIN;
Details on X-Frame-Options
can be found on MDN.
X-Frame-Options
has been obsoleted by the Content-Security-Policy
(CSP) header frame-ancestors
directive. The CSP equivalent to the above headers are:
Content-Security-Policy: frame-ancestors ‘none’; Content-Security-Policy: frame-ancestors ‘self’;
You have more granular control using CSP. You can take a deep dive into Content-Security-Policy
here.
X-XSS-Protection
This header tells the browser how to behave if it detects a possible XSS attack. Should it do nothing, filter the code or block the entire page? Support has pretty much been removed from all browsers.
X-XSS-Protection: 0; X-XSS-Protection: 1; # Browser sanitizes the page X-XSS-Protection: 1; mode=block # Browser won't render the page
More details can be found on MDN
X-Content-Type-Options
This header tells the browser to only use the content type provided by the server, don’t try to guess the content type and possibly handle it incorrectly.
X-Content-Type-Options: nosniff;
More details on X-Content-Type-Options
can be found here.
Strict-Transport-Security header
Also known as HSTS (HTTP Strict-Transport-Security). This tells clients to always use the HTTPS version of the site. The expire-time
represents the time in seconds that the browser should remember to access the site via HTTPS only.
Strict-Transport-Security: max-age=<expire-time>; Strict-Transport-Security: max-age=<expire-time>; includeSubDomains
Find more details on HSTS on MDN.
I hope you find this short article helpful. Have a suggestion to make this article better? Let me know in a comment below.
Be First to Comment