HTTP headers security check ☠

Did you check the security of HTTP headers of your website? Easy by modifying your server directives on Nginx with the help of by Scott Helme . The example below applies to 

HTTP Strict Transport Security (HSTS) header

HTTP Strict Transport Security ( HSTS ) is a proposed security policy mechanism for HTTP, allowing a web server to declare to a compatible user agent (such as a web browser) that it must interact with it using a secure connection (such as HTTPS). The policy is therefore communicated to the user agent by the server via the HTTP response, in the header field named “Strict-Transport-Security”. This policy specifies a period of time during which the user agent must access the server only in a secure manner.

add_header Strict-Transport-Security "max-age=31536000; includeSubdomains" always;

Cross-Site Scripting (XSS) header

Cross-site scripting (or XSS ) is a type of security vulnerability on websites that allows users to inject content into a page, thus causing actions on web browsers visiting the page.

add_header X-Xss-Protection "1; mode=block" always;

X-Frame-Options “SAMEORIGIN” header

Protection against clickjacking .

add_header X-Frame-Options "SAMEORIGIN" always;

X-Content-Type-Options header

This is a security feature that makes it easy to prevent attacks based on MIME confusion. For example, if CSS is expected.

add_header X-Content-Type-Options "nosniff" always;

Referrer-Policy header

Referrer-Policy is not only for there to delete the reference value but to give you control of the reference value.

add_header Referrer-Policy "no-referrer-when-downgrade";

Referrer-Policy header values :

  • No-referrer — No referrer information is sent.
  • No-referrer-when-downgrade — This is the default behavior if no policy is specified. It always passes the full path and will pass a value from HTTPS→HTTPS but not HTTPS→HTTP.
  • Origin — Sends the domain but not the full path.
  • Origin-when-cross-origin — Sends the full path when on the same domain, but only the domain when passing to another website.
  • Same-origin — Sends the full path if it’s the same domain, but strips the value if going to another website.
  • Strict-origin — Sends the domain for HTTPS→HTTPS and HTTP→HTTP, but not HTTPS→HTTP.
  • Strict-origin-when-cross-origin — Sends the full path if on the same domain and from one secure page to another, sends the domain if going from HTTPS on one domain to another domain, and doesn’t pass if going from a secure domain to an insecure domain.
  • Unsafe-url — Sends the full path.

Content Security Policy (CSP) header

Content Security Policy (or CSP ) is a security mechanism to restrict the origin of content (such as Javascript, images, CSS, etc.) on a web page to certain authorized sites. This makes it possible to better guard against a possible XSS attack. Attention, the example below integrates the CSPs specific to the example website. You obviously have to adapt according to your needs.

add_header Content-Security-Policy "default-src 'none';
    script-src 'self' 'unsafe-inline' 'unsafe-eval' 
    style-src 'self' 'unsafe-inline'
    img-src 'self' data: 
    font-src 'self' 
        connect-src 'self'; 
    frame-src 'self' 'unsafe-inline' 
    frame-ancestors 'none'; 
    form-action 'none'; 
    reflected-xss block; 
    referrer no-referrer-when-downgrade";

HTTP Public Key Pinning (HPKP) header

The Public Key Extension for HTTP (HPKP) is a security feature that tells a Web client to associate a specific cryptographic public key to a certain Web server to reduce the risk of MITM attacks with forged certificates. Example, for an site:

    max-age=5184000; includeSubDomains; 

Source photo: James Sutton

Leave a Reply

Your email address will not be published. Required fields are marked *