With the enhancement in technology and security, modern browsers now provide something that is known as, HTTP Headers that can improve applications against some common attacks such as clickjacking, cross-site scripting, and many more. Let us explore some methods you can tighten the security belt of your website.
Understanding HTTP Security Headers
Whenever a user requests a page from a server, it responds with the content along with some HTTP response header. Some of them consist of information such as content, encoding, status code, cache control, and many more. Along with these, there are some security headers that instruct your browser on how to behave when handling your website’s content, which is known as HTTP Security Header. It helps to preserve the privacy of your website as well as it’s users. It also helps mitigate some of the potential security vulnerabilities as well.
Let us now discuss some of the important HTTP Security headers that help you to tighten up the security belt of your website.
1. HTTP Strict Transport Security (HSTS)
Let suppose you own a website and you just installed SSL/TLS certificate and migrated your site from HTTP website to HTTPS. The “S” stands for security so you might think that your website is secured now. Now, the question is, what if your website is still available in HTTP? Now, this is where HSTS comes into action. What it does it, is forcing the browser to communicate over secure HTTPS, eliminating HTTP.
If the browser knows that the site has enabled HSTS, no matter what it only uses HTTPS connection even if the user entered HTTP or did not specify any header
There are semantically distinct ways to send HSTS headers, which are,
- Applied only to the domain of HSTS host issuing it and remains in effect for one year.
- Applied to the domain of the issuing host as well as its subdomains effected for one year.
Strict-Transport-Security: max-age=31536000; includeSubDomains
- Directs the browser to delete the entire policy.
2. Content Security Policy (CSP)
Enabling Content Security Policy( CSP) header allows admin to specify which data sources should be permitted in your web application.
Can help mitigate or reduce the attack surface of Cross-Site Scripting (XSS) attacks. However, later versions of the spec also protect against other forms of attack such as ClickJacking
Content-Security-Policy: <policy-directive>; <policy-directive>
It tells the browser how to behave when handling the site’s content. This also provided clickjacking protection by not allowing the rendering of a page in a frame by whether or defining whether or not a browser should be allowed to render a page in a <frame>, <iframe>, <embed> or <object>.
This “deny” instructs the site not to allow any domain to display this page within a frame. Some of the famous sites using this header are Facebook and Github.
There are some other values allowed for the X-Frame-Options header which you can use, they are:
SAMEORIGIN — allows the current page to be displayed in a frame on another page, but only within the current domain. Some of the most famous sites using this header are Twitter, Amazon, and eBay.
ALLOW-FROM URI — allows the current page to be displayed in a frame, but only in a specific URI
4. Expect-CT Header
Expect-CT Header prevents the usage of the wrongly issued certificate of a site by allowing sites to report or enforce certificate transparency requirements. The available directories are:
Expect-CT: max-age=86400, enforce,
Here, “enforce” instructed to refuse connections that violate Certificate Transparency policy. The “report-URI” directive indicates a location for reporting failures. And the “max-age” directive specifies the number of seconds that the browser should cache and apply the received policy for, whether enforced or report-only.
5. Cache-Control Header
Cache-Control Header is used to enable browser caching policies in both client requests and server responses. This includes policies such as how a resource is cached, where it’s cached and its maximum age before expiring.
cache-control: private, max-age: 266637262;
The “public” in the syntax indicates that a resource is user-specific, which means it can still be cached, but only on a client device. And, the “max-age” indicates, the amount of time it takes for a cached copy to expire. Once expired, the browser must refresh its version. There are other different directives, that can help tighten up privacy. You can find the list here.
6. Clear-Site-Data Header
Clear-Site-Data header ensures that no important confidential information from a website is not stored by the browser once the user logs out.
This will clear all the browsing data related to the site.
7. Referer Policy Header
The referer header consists of the information on your previous page. Such as the address of the previous web page from linked with the currently requested page. This could be used to track or steal information, or sometimes even inadvertently leak sensitive information.
Referer Policy header defines how much referer information must be included in the request.
This syntax, the browser will only reveal complete referrer information for same-origin requests. You can find some other list of headers you can use here.
Conclusion: HTTP Headers could be one of the ways to tighten up the seat belt of your website security. By enabling such headers, you are protecting both your website and your user’s privacy. Setting and updating them correctly can reduce the amount of risk mitigation actions needed in the future.