Check if you’re using the right security headers in your Website

Security Headers are HTTP response headers that direct the browser’s behavior to enhance a website’s security to prevent malicious attackers from manipulating browser’s behavior. Security Headers allow you to be specific about your intentions for content served from your website.

Different kinds of Security Headers and their uses:

  • Strict-Transport-Security
It is an excellent feature to support on your site and strengthens your implementation of TLS by getting the User Agent to enforce the use of HTTPS.
Recommended value "max-age=2592000; includeSubDomains;"
  • X-Frame-Options
It tells the browser whether you want to allow your site to be framed or not. By preventing a browser from framing your site you can defend against attacks like clickjacking. 
Recommended value "X-Frame-Options: SAMEORIGIN".
  • X-XSS-Protection
It sets the configuration for the cross-site scripting filter built into most browsers. 
Recommended value “X-XSS-Protection: 1; mode=block”.
  • X-Content-Type-Options
It stops a browser from trying to MIME-sniff the content type and forces it to stick with the declared content-type. The only valid value for this header is “X-Content-Type-Options: nosniff”.
  • X-Download-Options
It instruct the browser not to open a download directly in the browser, but instead to provide only the ‘Save’ option.
Recommended value “ X-Download-Options: noopen”
  • X-Permitted-Cross-Domain-Policies
It restricts Adobe Flash player’s access to data.
Recommended value “X-Permitted-Cross-Domain-Policies: master-only”
  • Content-Security-Policy
It is an effective measure to protect your site from XSS attacks. By whitelisting sources of approved content, you can prevent the browser from loading malicious assets.
Recommended values: "Content-Security-Policy: default-src 'self'; img-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self';"
  • Public-Key-Pins
It protects your site from MiTM attacks using rogue X.509 certificates. By whitelisting only the identities that the browser should trust, your users are protected in the event a certificate authority is compromised.

Now, to check the security headers of your website. I wrote a python tool which lists down all the security headers of a website.

Security Header Scanner

I’d like to thank Scott Helme for creating an online security header scanner.

Aj Dumanhug

Written by

PSM in Cybersecurity Student

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade