The Five Main Security Headers
The HyperText Transfer Protocol, or HTTP, uses header fields to define requests and responses sent across networks They are a necessary component of most communications that occur on the World Wide Web and through private/company intranet systems, which is why we’ve seen the lead-in a million times before websites on the Internet. Attackers know this as well, so the constant their battle with security professionals over over net security has a lot to do with exploiting and fixing vulnerabilities in HTTP.
Securing HTTP’s header fields is a constant challenge, met over the last few years with new protocols and policies that site designers and network administrators can use to protect their assets. These are called security headers, which interact with browsers and clients with instructions about how to handle incoming and outgoing data.
The following are the top five main security headers you should know about, and why:
- A Content Security Policy, or CSP, is as it sounds, is a header that act as digital bouncer for your website that only allows content of a certain origin. The basic structure can be seen as ‘if the asset is not from this source, don’t allow it’, but there is room for more complex directives as web applications advance. Using CSP to restrict the ‘src’ asset calls for external content like images and scripts, a developer can create server-side whitelists for dynamic web application resources.
- Cross Site Scripting (X-XSS) Protection is a header that wards against a specific yet popular type of malicious attack. This header to stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. X-XSS attacks evolve alongside web application defenses, so they’ve long been one of the most prevalent adversaries of web security. Today’s headers are built into the browsers, but designers can add extra ‘auditors’ to catch more false flags.
- HTTP Strict Transport Security (HSTS) is a header that enforces the use of HTTPs — the secure version of HTTP — so that encryption is always used when the browser settles on your site’s landing page. This prevents downgrade attacks and session hijacks that exploit non-encrypted HTTP connections that use Transport Layer Security (TLS), and the deprecated Secure Socket Layer (SSL).
- The X-Frame Option Header is a simple HTTP response header that controls which content, if any, is rendered in frames. Frames are often used for Clickjacking attacks like the misleading ‘download’ buttons found in many unsecured sites. Controlling their origin can eliminate the security risks inherent in embedded code like that which is used to render videos and action buttons.
- HTTP Public Key Pinning (HPKP) can be considered the main header in charge of managing certificates. After a first-use trust is established — either through a stored database or by user prompt — the header will store public keys on the client-side entity for a specified amount of time. This prevents fraudulent certificates from slipping the net.
There are many more security headers in use today as X-Content-Type-Options, X-Permitted-Cross-Domain-Policies, Referrer-Policy, Expect-CT, but these are what we consider the foundational headers that should be included in every web application to ensure secure data transmission. Security designers are encouraged to stay on top of vulnerabilities as they are reported and their solutions, as both are ever-changing.
More information about Security Headers: