Security Headers

Introduction

Headers are part of the HTTP specification, defining the metadata of the message in both the HTTP request and response. While the HTTP message body is often meant to be read by the user, metadata is processed exclusively by the web browser and has been included in HTTP protocol since version 1.0.

List of Security Headers

X-Frame-Options
X-XSS-Protection
X-Content-Type-Options
Strict-Transport-Security
Content-Security-Policy
Access-Control-Allow-Origin
Public-Key-Pins
Referrer-Policy
Expect-CT
Feature-Policy
Clear-Site-Data

How to test

To identify the HTTP headers, by simply looking in the HTTP response header of the website.

Method 1

By this, we can manually check the request and response by any browser.

Right click on the particular page and go to inspect element.
Then, go to network tab and click on any network available in the webpage.
Go to headers tab, we can see the HTTP security headers are shown in the response.

Method 2

We can check the security headers missing by this website.

Paste the URL and check the missing security headers in the website.

Solutions

X-Frame-Options

This http header helps avoiding clickjacking attacks. Browser support is as follow: IE 8+, Chrome 4.1+, Firefox 3.6.9+, Opera 10.5+, Safari 4+.

Parameter Value

Meaning

SAMEORIGIN

Frame/iframe of content is only allowed from the same site origin.

DENY

Prevent any domain to embed your content using frame/iframe.

ALLOW-FROM

Allow framing the content only on particular URI.

PHP

To sent the header in response by this code.

<?php
header("X-Frame-Options: DENY");
?>

APACHE

For Apache, we have to insert the code in httpd.conf.

Header set X-Frame-Options DENY

NGINX

For nginx, we have to insert the code in nginx.conf.

add_header X-Frame-Options "DENY";

EXPRESS.JS

For Express.js, we have to insert the code in middleware statement.

app.use(function(req, res, next) {    
    res.header("X-Frame-Options", "DENY");
    next();
});

X-XSS-Protection

X-XSS-Protection header can prevent some level of XSS (cross-site-scripting) attacks, and this is compatible with IE 8+, Chrome, Opera, Safari & Android.

Parameter Value

Meaning

XSS filter disabled

XSS filter enabled and sanitized the page if attack detected

1;mode=block

XSS filter enabled and prevented rendering the page if attack detected

1;report=<URI>

XSS filter enabled and reported the violation if attack detected

PHP

To sent the header in response by this code.

<?php
header("X-XSS-Protection: 1; mode=block");
?>

APACHE

For Apache, we have to insert the code in httpd.conf.

Header set X-XSS-Protection "1; mode=block"

NGINX

For nginx, we have to insert the code in nginx.conf.

add_header X-XSS-Protection "1; mode=block";

EXPRESS.JS

For Express.js, we have to insert the code in middleware statement.

app.use(function(req, res, next) {
    res.header("X-XSS-Protection", "1; mode=block");
    next();
});

X-CONTENT-TYPE-OPTIONS

Prevent MIME types security risk by adding this header to your web page’s HTTP response. Having this header instruct browser to consider files types as defined and disallow content sniffing. There is only one parameter you got to add “nosniff”.

PHP

To sent the header in response by this code.

<?php
header("X-Content-Type-Options: nosniff");
?>

APACHE

For Apache, we have to insert the code in httpd.conf.

Header set X-Content-Type-Options "nosniff"

NGINX

For nginx, we have to insert the code in nginx.conf.

add_header X-Content-Type-Options "nosniff";

EXPRESS.JS

For Express.js, we have to insert the code in middleware statement.

app.use(function(req, res, next) {
    res.header("X-Content-Type-Options", "nosniff");
    next();
});

STRICT-TRANSPORT-SECURITY

HSTS (HTTP Strict Transport Security) header to ensure all communication from a browser is sent over HTTPS (HTTP Secure). This prevents HTTPS click through prompts and redirects HTTP requests to HTTPS.

Before implementing this header, you must ensure all your website page is accessible over HTTPS else they will be blocked. HSTS header is supported on all the major latest version of a browser like IE, Firefox, Opera, Safari, and Chrome. There are three parameters configuration.

Parameter Value

Meaning

max-age

Duration (in seconds) to tell a browser that requests are available only over HTTPS.

includeSubDomains

Configuration is valid for subdomain as well.

preload

Use if you would like your domain to be included in the HSTS preload list.

PHP

To sent the header in response by this code.

<?php
header("Strict-Transport-Security: max-age=31536000");
?>

APACHE

For Apache, we have to insert the code in httpd.conf.

Header set Strict-Transport-Security "max-age=31536000"

NGINX

For nginx, we have to insert the code in nginx.conf.

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";

EXPRESS.JS

For Express.js, we have to insert the code in middleware statement.

app.use(function(req, res, next) {
    res.header("Strict-Transport-Security", "max-age=31536000");
    next();
});

CONTENT-SECURITY-POLICY

This header could affect your website in many ways, so be careful when using it. The configuration below allows loading scripts, XMLHttpRequest (AJAX), images and styles from same domain and nothing else. Browser support: Edge 12+, Firefox 4+, Chrome 14+, Safari 6+, Opera 15+.

Few notes: IE 10 and 11 supports CSP through the X-Content-Security-Policy header; Safari 5.1 supported through the X-Webkit-CSP header.

Parameter Value

Meaning

default-src

Load everything from a defined source

script-src

Load only scripts from a defined source

PHP

To sent the header in response by this code.

<?php
header("Content-Security-Policy: default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self';");
?>

APACHE

For Apache, we have to insert the code in httpd.conf.

Header set Content-Security-Policy "default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self';"

NGINX

For nginx, we have to insert the code in nginx.conf.

add_header Content-Security-Policy "default-src 'self';";

EXPRESS.JS

For Express.js, we have to insert the code in middleware statement.

app.use(function(req, res, next) {
    res.header("Content-Security-Policy", "default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self';");
    next();
});

ACCESS-CONTROL-ALLOW-ORIGIN

The Access-Control-Allow-Origin is part of the cross-origin resource sharing specification which we discussed recently.

Parameter Value

Meaning

pin-sha256

A Base64 encoded Subject Public Key Information (SPKI) fingerprint.

max-age

The time, in seconds, that the user-agent should remember the host as a Known Pinned Host.

includeSubDomains

An optional directive that signals to the user-agent that the Pinning Policy applies to this Pinned Host as well as any subdomains of the host's domain name.

report-uri

An optional directive that indicates the URI to which the user-agent should report Pin Validation failures.

PHP

To sent the header in response by this code.

<?php
header('Public-Key-Pins: pin-sha256="d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM="; pin-sha256="E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g="; max-age=604800; includeSubDomains; report-uri="https://example.net/pkp-report"');
?>

APACHE

For Apache, we have to insert the code in httpd.conf.

Header set Public-Key-Pins "pin-sha256=\"d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM=\"; pin-sha256=\"E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g=\"; max-age=604800; report-uri=\"https://example.net/pkp-report\""

NGINX

For nginx, we have to insert the code in nginx.conf.

add_header Public-Key-Pins "pin-sha256=\"d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM=\"; pin-sha256=\"E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g=\"; max-age=604800";

EXPRESS.JS

For Express.js, we have to insert the code in middleware statement.

app.use(function(req, res, next) {
    res.header("Public-Key-Pins", 'pin-sha256="d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM="; pin-sha256="E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g="; max-age=604800; includeSubDomains');
    next();
});

REFERRER-POLICY

Controls the value of Referer header sent with the additional requests for resources from a web page. However, not all the options are supported by all the browsers, so review your requirement before the implementation.

Parameter Value

Meaning

No-referrer

Referrer information will not be sent with the request.

no-referrer-when-downgrade

The default setting where referrer is sent to the same protocol as HTTP to HTTP, HTTPS to HTTPS.

unsafe-url

Full URL will be sent with the request.

same-origin

Referrer will be sent only for same origin site.

strict-origin

Send only when a protocol is HTTPS

strict-origin-when-cross-origin

The full URL will be sent over a strict protocol like HTTPS

origin

Send the origin URL in all the requests

origin-when-cross-origin

Send FULL URL on the same origin. However, send only origin URL in other cases.

PHP

To sent the header in response by this code.

<?php
header("Referrer-Policy: origin-when-cross-origin");
?>

APACHE

For Apache, we have to insert the code in httpd.conf.

Header set Referrer-Policy "origin-when-cross-origin"

NGINX

For nginx, we have to insert the code in nginx.conf.

add_header Referrer-Policy "origin-when-cross-origin"

EXPRESS.JS

For Express.js, we have to insert the code in middleware statement.

app.use(function(req, res, next) {
    res.header("Referrer-Policy", "origin-when-cross-origin");
    next();
});

EXPECT-CT

A new header still in experimental status is to instruct the browser to validate the connection with web servers for certificate transparency (CT). This project by Google aims to fix some of the flaws in the SSL/TLS certificate system.

Parameter Value

Meaning

max-age

In seconds, for how long browser should cache the policy.

enforce

An optional directive to enforce the policy.

report-uri

Browser to send a report to the specified URL when valid certificate transparency not received.

PHP

To sent the header in response by this code.

<?php
header("Expect-CT: max-age=7776000, enforce");
?>

APACHE

For Apache, we have to insert the code in httpd.conf.

Header set Expect-CT "max-age=7776000, enforce"

NGINX

For nginx, we have to insert the code in nginx.conf.

add_header Expect-CT "max-age=7776000, enforce"

EXPRESS.JS

For Express.js, we have to insert the code in middleware statement.

app.use(function(req, res, next) {
    res.header("Expect-CT", "max-age=7776000, enforce");
    next();
});

References

PreviousHttpOnly and Secure Flag NextClickjacking

Last updated 5 years ago

Was this helpful?

Security Headers

Introduction

List of Security Headers

X-Frame-Options
X-XSS-Protection
X-Content-Type-Options
Strict-Transport-Security
Content-Security-Policy
Access-Control-Allow-Origin
Public-Key-Pins
Referrer-Policy
Expect-CT
Feature-Policy
Clear-Site-Data

How to test

To identify the HTTP headers, by simply looking in the HTTP response header of the website.

Method 1

By this, we can manually check the request and response by any browser.

Right click on the particular page and go to inspect element.
Then, go to network tab and click on any network available in the webpage.
Go to headers tab, we can see the HTTP security headers are shown in the response.

Method 2

We can check the security headers missing by this website.

Go to the website .
Paste the URL and check the missing security headers in the website.

Solutions

X-Frame-Options

This http header helps avoiding clickjacking attacks. Browser support is as follow: IE 8+, Chrome 4.1+, Firefox 3.6.9+, Opera 10.5+, Safari 4+.

Parameter Value

Meaning

SAMEORIGIN

Frame/iframe of content is only allowed from the same site origin.

DENY

Prevent any domain to embed your content using frame/iframe.

ALLOW-FROM

Allow framing the content only on particular URI.

PHP

To sent the header in response by this code.

<?php
header("X-Frame-Options: DENY");
?>

APACHE

For Apache, we have to insert the code in httpd.conf.

Header set X-Frame-Options DENY

NGINX

For nginx, we have to insert the code in nginx.conf.

add_header X-Frame-Options "DENY";

EXPRESS.JS

For Express.js, we have to insert the code in middleware statement.

app.use(function(req, res, next) {    
    res.header("X-Frame-Options", "DENY");
    next();
});

X-XSS-Protection

X-XSS-Protection header can prevent some level of XSS (cross-site-scripting) attacks, and this is compatible with IE 8+, Chrome, Opera, Safari & Android.

Parameter Value

Meaning

XSS filter disabled

XSS filter enabled and sanitized the page if attack detected

1;mode=block

XSS filter enabled and prevented rendering the page if attack detected

1;report=<URI>

XSS filter enabled and reported the violation if attack detected

PHP

To sent the header in response by this code.

<?php
header("X-XSS-Protection: 1; mode=block");
?>

APACHE

For Apache, we have to insert the code in httpd.conf.

Header set X-XSS-Protection "1; mode=block"

NGINX

For nginx, we have to insert the code in nginx.conf.

add_header X-XSS-Protection "1; mode=block";

EXPRESS.JS

For Express.js, we have to insert the code in middleware statement.

app.use(function(req, res, next) {
    res.header("X-XSS-Protection", "1; mode=block");
    next();
});

X-CONTENT-TYPE-OPTIONS

PHP

To sent the header in response by this code.

<?php
header("X-Content-Type-Options: nosniff");
?>

APACHE

For Apache, we have to insert the code in httpd.conf.

Header set X-Content-Type-Options "nosniff"

NGINX

For nginx, we have to insert the code in nginx.conf.

add_header X-Content-Type-Options "nosniff";

EXPRESS.JS

For Express.js, we have to insert the code in middleware statement.

app.use(function(req, res, next) {
    res.header("X-Content-Type-Options", "nosniff");
    next();
});

STRICT-TRANSPORT-SECURITY

Parameter Value

Meaning

max-age

Duration (in seconds) to tell a browser that requests are available only over HTTPS.

includeSubDomains

Configuration is valid for subdomain as well.

preload

Use if you would like your domain to be included in the HSTS preload list.

PHP

To sent the header in response by this code.

<?php
header("Strict-Transport-Security: max-age=31536000");
?>

APACHE

For Apache, we have to insert the code in httpd.conf.

Header set Strict-Transport-Security "max-age=31536000"

NGINX

For nginx, we have to insert the code in nginx.conf.

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";

EXPRESS.JS

For Express.js, we have to insert the code in middleware statement.

app.use(function(req, res, next) {
    res.header("Strict-Transport-Security", "max-age=31536000");
    next();
});

CONTENT-SECURITY-POLICY

Few notes: IE 10 and 11 supports CSP through the X-Content-Security-Policy header; Safari 5.1 supported through the X-Webkit-CSP header.

Parameter Value

Meaning

default-src

Load everything from a defined source

script-src

Load only scripts from a defined source

PHP

To sent the header in response by this code.

<?php
header("Content-Security-Policy: default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self';");
?>

APACHE

For Apache, we have to insert the code in httpd.conf.

Header set Content-Security-Policy "default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self';"

NGINX

For nginx, we have to insert the code in nginx.conf.

add_header Content-Security-Policy "default-src 'self';";

EXPRESS.JS

For Express.js, we have to insert the code in middleware statement.

app.use(function(req, res, next) {
    res.header("Content-Security-Policy", "default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self';");
    next();
});

ACCESS-CONTROL-ALLOW-ORIGIN

The Access-Control-Allow-Origin is part of the cross-origin resource sharing specification which we discussed recently.

Parameter Value

Meaning

pin-sha256

A Base64 encoded Subject Public Key Information (SPKI) fingerprint.

max-age

The time, in seconds, that the user-agent should remember the host as a Known Pinned Host.

includeSubDomains

An optional directive that signals to the user-agent that the Pinning Policy applies to this Pinned Host as well as any subdomains of the host's domain name.

report-uri

An optional directive that indicates the URI to which the user-agent should report Pin Validation failures.

PHP

To sent the header in response by this code.

<?php
header('Public-Key-Pins: pin-sha256="d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM="; pin-sha256="E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g="; max-age=604800; includeSubDomains; report-uri="https://example.net/pkp-report"');
?>

APACHE

For Apache, we have to insert the code in httpd.conf.

Header set Public-Key-Pins "pin-sha256=\"d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM=\"; pin-sha256=\"E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g=\"; max-age=604800; report-uri=\"https://example.net/pkp-report\""

NGINX

For nginx, we have to insert the code in nginx.conf.

add_header Public-Key-Pins "pin-sha256=\"d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM=\"; pin-sha256=\"E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g=\"; max-age=604800";

EXPRESS.JS

For Express.js, we have to insert the code in middleware statement.

app.use(function(req, res, next) {
    res.header("Public-Key-Pins", 'pin-sha256="d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM="; pin-sha256="E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g="; max-age=604800; includeSubDomains');
    next();
});

REFERRER-POLICY

Parameter Value

Meaning

No-referrer

Referrer information will not be sent with the request.

no-referrer-when-downgrade

The default setting where referrer is sent to the same protocol as HTTP to HTTP, HTTPS to HTTPS.

unsafe-url

Full URL will be sent with the request.

same-origin

Referrer will be sent only for same origin site.

strict-origin

Send only when a protocol is HTTPS

strict-origin-when-cross-origin

The full URL will be sent over a strict protocol like HTTPS

origin

Send the origin URL in all the requests

origin-when-cross-origin

Send FULL URL on the same origin. However, send only origin URL in other cases.

PHP

To sent the header in response by this code.

<?php
header("Referrer-Policy: origin-when-cross-origin");
?>

APACHE

For Apache, we have to insert the code in httpd.conf.

Header set Referrer-Policy "origin-when-cross-origin"

NGINX

For nginx, we have to insert the code in nginx.conf.

add_header Referrer-Policy "origin-when-cross-origin"

EXPRESS.JS

For Express.js, we have to insert the code in middleware statement.

app.use(function(req, res, next) {
    res.header("Referrer-Policy", "origin-when-cross-origin");
    next();
});

EXPECT-CT

Parameter Value

Meaning

max-age

In seconds, for how long browser should cache the policy.

enforce

An optional directive to enforce the policy.

report-uri

Browser to send a report to the specified URL when valid certificate transparency not received.

PHP

To sent the header in response by this code.

<?php
header("Expect-CT: max-age=7776000, enforce");
?>

APACHE

For Apache, we have to insert the code in httpd.conf.

Header set Expect-CT "max-age=7776000, enforce"

NGINX

For nginx, we have to insert the code in nginx.conf.

add_header Expect-CT "max-age=7776000, enforce"

EXPRESS.JS

For Express.js, we have to insert the code in middleware statement.

app.use(function(req, res, next) {
    res.header("Expect-CT", "max-age=7776000, enforce");
    next();
});

References

PreviousHttpOnly and Secure Flag NextClickjacking

Last updated 5 years ago

Was this helpful?