April 06, 2024

HTTP Security Headers for Website

HTTP security headers provide an extra layer of security by defining policies that browsers must follow to protect websites from common attacks. Learn about important HTTP security headers and how to add them.

HTTP Security Headers for Website

HTTP security headers are response headers that are added by servers when sending response to client browsers. HTTP security headers prevent different types of attacks and increases the website security. In this post we are going to show you what are the mostly used important HTTP security headers and how they are added to response. Following are the must be included security headers we will implement:

  • Content-Security-Policy (CSP).
  • Strict-Transport-Security (HSTS).
  • X-Content-Type-Options.
  • Cross-Origin-Resource-Policy (CORP).
  • Referrer-Policy.
  • Permissions-Policy.
  • X-Frame-Options.

HTTP security headers can be added in different ways depending on the server you are using. For Apache server security headers can be configured using .htaccess rules. For Nginx server, security headers can be set using nginx.conf file. In this post we are going to demonstrate how to add HTTP security headers in .htaccess file. A simple example for adding a response header in .htaccess:

<ifModule mod_headers.c>
	Header set Cache-Control "max-age=691200, s-max-age=691200, public"
</ifModule>
 

Content-Security-Policy (CSP)

Content Security Policy abbreviated as CSP is the header that protects against Cross Site Scripting XSS attacks by specifying what type of content is allowed to be loaded by the browsers. SCP header can be added in htaccess like this:

Header set Content-Security-Policy: default-src "self"; script-src "self"; frame-ancestors "self";
 

Strict-Transport-Security (HSTS)

HTTP Strict Transport Security abbreviated as HSTS is the header that ensures server and browser communication takes place using HTTPS protocol and not HTTP. It helps reducing the risk of man-in-middle attacks. HSTS header can be added in htaccess like this:

Header set Strict-Transport-Security: max-age=31536000; includeSubDomains;
 

X-Content-Type-Options

This header when added, tells the browser to strictly follow the MIME types defined in Content-Type header and not interpret MIME types differently. This header has a value nosniff and can be added like this:

Header set X-Content-Type-Options: "nosniff"
 

Cross-Origin-Resource-Policy (CORP)

This header when presents restricts and limits the resource sharing policy to prevent resources from being accessed by other domains. This header protects against cross-origin attacks and can be added in htaccess like this:

Header set Cross-Origin-Resource-Policy: "same-origin"
 

Referrer-Policy

This header when sets defines how much of referrer information should be sent to server along with other request headers. This helps limit the referrer information for privacy related reasons. This header can be added in htaccess like this:

Header set Referrer-Policy "same-origin"
 

Permissions-Policy

This header defines what features or API in browser are allowed for use. This header is mainly used for privacy related reasons can be added in htaccess like this:

Header set Permissions-Policy microphone=(), camera=(), geolocation=()
 

X-Frame-Options (Deprecated)

X frame options header is the header which controls if the browser can display a page in <frame>, <iframe>, <embed>, <object> or <applet> elements. This header has been deprecated and frame options should be controlled in CSP header. This header was used to prevent the clickjacking attacks by controlling and can be added in htaccess like this:

Header set X-Frame-Options: "SAMEORIGIN"

This header is now largely replaced by the frame-ancestors directive in CSP. We explained what are the essential HTTP headers mostly used and how to add them with .htaccess to enhance website's security. Always test your security headers using tools like browser developer tools or online security scanners to avoid breaking your website functionality.

Home