Complete guide to HTTP Headers for securing websites (Cheat Sheet)

  • Security headers list
  • Implementation of HTTP headers in Nginx, Apache, PHP, etc.
  • Testing of HTTP headers in your website
  • References

Security Headers

X-Frame-Options

Recommendation

X-XSS-Protection

Recommendation

X-Content-Type-Options

Recommendation

Referrer-Policy

Recommendation

  • NOTE: This is the default in modern browsers

Content-Type

Recommendation

  • NOTE: the charset attribute is necessary to prevent XSS in HTML pages
  • NOTE: the text/html can be any of the possible MIME types

Set-Cookie

Recommendation

  • NOTE: The Domain attribute has been removed intentionally

Strict-Transport-Security

Recommendation

Expect-CT

Recommendation

Content-Security-Policy

Recommendation

  • WARNING: Inline script elements and inline script event handlers like onload will stop working with the above header. But this is required to neutralize XSS attacks.

Access-Control-Allow-Origin

Recommendation

Cross-Origin-Opener-Policy

Recommendation

Cross-Origin-Resource-Policy

Recommendation

Cross-Origin-Embedder-Policy

Recommendation

  • NOTE: you can bypass it by adding the crossorigin attribute like below:
  • <img src="https://thirdparty.com/img.png" crossorigin>

Server

Recommendation

X-Powered-By

Recommendation

X-AspNet-Version

Recommendation

X-AspNetMvc-Version

Recommendation

X-DNS-Prefetch-Control

Recommendation

Public-Key-Pins ❌

Recommendation

Adding Http Headers in Different Technologies

PHP

header("X-XSS-Protection: 1; mode=block");

Apache

<IfModule mod_headers.c>
Header set X-XSS-Protection "1; mode=block"
</IfModule>

IIS

<system.webServer>
...
<httpProtocol>
<customHeaders>
<add name="X-XSS-Protection" value="1; mode=block" />
</customHeaders>
</httpProtocol>
...
</system.webServer>

HAProxy

http-response set-header X-XSS-Protection 1; mode=block

Nginx

add_header "X-XSS-Protection" "1; mode=block";

Express

const helmet = require('helmet');
const app = express();
// Sets "X-Frame-Options: SAMEORIGIN"
app.use(
helmet.frameguard({
action: "sameorigin",
})
);

Testing Proper Implementation of Security Headers

Mozilla Observatory

SmartScanner

--

--

--

Smart Vulnerability Scanner

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Cybersecurity And Remote Work: The Biggest Threat To Working From Home

Post-mortem: ETH Router Exploits 1 & 2, and premature Return To Trading Incident

Fair and Accurate Security Ratings: The Peculiar Case of Passive Patch Pronouncements

Everything started with a burglary…

Anyone can see your screenshots

DEVITA & Crypto Hustle telegram AMA Recap

Are you planning to start a career in cybersecurity?

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
SmartScanner

SmartScanner

Smart Vulnerability Scanner

More from Medium

Introduction to the Koa.js Framework

REST[ful] API’s

5 Common REST API Challenges

Introduction to APIs