HTTP Security Headers
The best website makes the secure https connection even more secure with HTTP security headers. Does your site use HTTP security headers for extra security? Does your site use HTTP security headers to communicate to the visitor's browser what security measures are in place?
HTTP security headers
The visitor views your website via a browser. Your web server communicates HTML pages to the browser. Your web server or web site may also include HTTP security headers to inform the browser about HTTP Security. What can a browser expect from the website and server?
Test the HTTP Security Headers that are sent through the HTTP response headers of your web site via Security Headers. There are several security measures that can be enforced through HTTP Security Headers:
X Content Type Options
A browser can interpret the file type of a file based on its content. With "X-Content-Type-Options: nosniff", the server enforces that the browser does not determine the type of content itself via MIME. This prevents text files and images from being executed as HTML/JavaScript.
X-Content-Type-Options: nosniff
Referrer Policy
If a visitor on your site clicks on a hyperlink to another site, the browser uses the referrer in the HTTP header to communicate with the new site you come from. A web site can then use the web server to see statistics about where their visitors are coming from. If your website is running https and the link refers to an http website, this is a "downgrade" of the connection for the visitor. To protect the privacy of your visitors, you can disable the referrer.
Referrer Policy: no-referrer-when-downgrade
Feature Policy
Feature Policy has been replaced by Permissions Policy
Permissions Policy
With the Permissions-Policy you decide which browser functions and APIs you want to enable or disable. You will be familiar with pop-ups from websites that ask for your location. You can have your website communicate to the visitor's browser that, for example, you are not asking for a location (geolocation).
- geolocation
- midi
- notifications
- push
- sync-xhr
- microphone
- camera
- magnetometer
- gyroscope
- speaker
- vibrate
- fullscreen
- payment
permissions-policy: camera=(); geolocation=(); microphone=(); payment=();
Content Security Policy (CSP)
The Content Security Policy defines from which approved sources the visitor's browser is allowed to load files (CSS stylesheets, JavaScript libraries, fonts). Think for example of external Google fonts, JQuery JavaScripts etc.
You can choose to place all external sources on your own site, or arrange through the CSP which external sources you accept. It is an effective countermeasure against Cross Site Scripting (XSS) attacks.
content-security-policy: frame-ancestors 'self'
HTTP Strict Transport Security (HSTS)
HTTP Strict Transport Security enforces that all communication between the visitor and your website takes place over a secure transport layer (https). This prevents a man-in-the-middle (MiTM) attack. Via HSTS your website communicates to the browser that your website will work via https in the next x days.
strict-transport-security: max-age=15768000
X Frame Options
With the X-Frame-Options header you protect your visitors against clickjacking attacks. In case of a clickjack attack, an attacker can steal some CSS information from your web browser via an iframe. This can be prevented by defining x-frame-options. But you can also control this via the "frame-ancestors" in Content Security Policy.
x-frame-options: SAMEORIGIN
Would you like to know more?
- Online Tool: Security Headers - check HTTP response headers
- Website: Scott Helme's website on HTTP response headers
- Online Tool: The Mozilla Observatory
