Skip to content

HTTP security headers

HTTP security headers are a collection of HTTP response headers used to enforce security policies and protect web applications against various vulnerabilities, such as Cross-Site Scripting (XSS), clickjacking, and Man-in-the-Middle (MITM) attacks^[600-developer__tools__security__Strict-Transport-Security.md].

Strict-Transport-Security (HSTS)

The Strict-Transport-Security header enforces the use of HTTPS, ensuring that the browser only connects to the server via secure channels^[600-developer__tools__security__Strict-Transport-Security.md]. When a server sets this header (e.g., Strict-Transport-Security: max-age=31536000; includeSubDomains), the browser will automatically convert any HTTP requests to the domain (and its subdomains) into HTTPS requests for the specified duration^[600-developer__tools__security__Strict-Transport-Security.md]. This mechanism prevents users from bypassing invalid certificate warnings and helps mitigate MITM attacks^[600-developer__tools__security__Strict-Transport-Security.md].

Content-Security-Policy (CSP)

Content-Security-Policy is a header designed to mitigate XSS attacks by restricting the sources from which resources such as scripts, styles, images, and fonts can be loaded^[600-developer__tools__security__Strict-Transport-Security.md]. It operates on a whitelist model, allowing administrators to specify valid domains for different content types^[600-developer__tools__security__Strict-Transport-Security.md]. Directives include default-src, script-src, img-src, and object-src, and can be configured to forbid dangerous features like eval()^[600-developer__tools__security__Strict-Transport-Security.md].

X-Frame-Options

The X-Frame-Options header protects against clickjacking attacks by controlling whether the page can be embedded into an <iframe> on other sites^[600-developer__tools__security__Strict-Transport-Security.md].

It accepts three possible values:

  • DENY: Prevents any domain from framing the content^[600-developer__tools__security__Strict-Transport-Security.md].
  • SAMEORIGIN: Allows framing only by pages on the same origin^[600-developer__tools__security__Strict-Transport-Security.md].
  • ALLOW-FROM: Specifies a whitelist of URLs permitted to frame the content^[600-developer__tools__security__Strict-Transport-Security.md].

While not a standalone header, specific attributes within the Set-Cookie header are critical for session security^[600-developer__tools__security__Strict-Transport-Security.md].

  • HttpOnly: Prevents client-side scripts (e.g., document.cookie) from accessing the cookie, effectively mitigating the theft of cookies via XSS^[600-developer__tools__security__Strict-Transport-Security.md].
  • Secure: Ensures the cookie is only transmitted over encrypted HTTPS connections^[600-developer__tools__security__Strict-Transport-Security.md].

Other Security Headers

  • X-XSS-Protection: An older non-standard header that enables XSS filtering in browsers^[600-developer__tools__security__Strict-Transport-Security.md]. It has largely been superseded by [[Content-Security-Policy]], but can still be used as a defense-in-depth measure for older browsers^[600-developer__tools__security__Strict-Transport-Security.md].
  • X-Content-Type-Options: Setting this header to nosniff prevents the browser from interpreting files as a different MIME type than declared (e.g., preventing a script from executing if it is labeled as an image)^[600-developer__tools__security__Strict-Transport-Security.md].
  • Referrer-Policy: Governs how much information is included in the Referer header when navigating from one page to another^[600-developer__tools__security__Strict-Transport-Security.md]. This can be used to enhance privacy by controlling whether the full URL or just the origin is sent to other sites^[600-developer__tools__security__Strict-Transport-Security.md].
  • Public-Key-Pins (HPKP): A mechanism to prevent MITM attacks by associating a specific cryptographic public key with a server^[600-developer__tools__security__Strict-Transport-Security.md]. This allows the user agent to reject a connection if the certificate presented does not match the pinned key, even if signed by a valid Certificate Authority^[600-developer__tools__security__Strict-Transport-Security.md].

Sources

^[600-developer__tools__security__Strict-Transport-Security.md]

  • [[HTTPS]]
  • [[XSS (Cross-Site Scripting)]]
  • [[Clickjacking]]
  • [[Cryptography]]