Scribd
Upload
70 views2 pages

HTTP Headers 1693715147462

The document describes several HTTP headers that can be used to help prevent common web attacks. It lists the name and description of 8 headers: X-Content-Type-Options, X-XSS-Protection, X-Frame-Options, Content-Security-Policy, Strict-Transport-Security, Referrer-Policy, Cache-Control, and Content-Disposition. Each header has policies that can be set to mitigate different types of attacks, such as XSS, clickjacking, and content sniffing attacks.

Uploaded by

Sandro Melo
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
70 views2 pages

HTTP Headers 1693715147462

The document describes several HTTP headers that can be used to help prevent common web attacks. It lists the name and description of 8 headers: X-Content-Type-Options, X-XSS-Protection, X-Frame-Options, Content-Security-Policy, Strict-Transport-Security, Referrer-Policy, Cache-Control, and Content-Disposition. Each header has policies that can be set to mitigate different types of attacks, such as XSS, clickjacking, and content sniffing attacks.

Uploaded by

Sandro Melo
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 2

HADESS.

IO
۱
HADESS

No Name Description Policies Attacks

nosniff -> Blocks a request if


1 MIME sniffing attacks Misconfigure
the request destination is of
X-Content-Type-Options
prevention RFD
type style and the MIME type is

not text/css, or of type script

0 -> Allow

1 -> Enables XSS filtering


Detect reflected cross-site
2 mode=block -> browser will prevent rendering of Misconfigure
X-XSS-Protection scripting attacks the page if an attack is detected.

report=<reporting-URI> -> sanitize the page and


CORS Deception
report the violation

Browser should be allowed DENY -> deny displayed in a frame

3 SAMEORIGIN -> displayed if all Misconfigure


X-Frame-Options to render a page
Virtual Patching Heatmap

ancestor frames are same origin to


Clickjacking
the page itself

Attacks Heatmap
default-src -> come from the site's own

origin
Misconfigure
4
Content-Security-Policy Control what resources media-src -> media to trusted providers
XSS
script-src -> specific server that hosts

trusted code
Clickjacking

max-age -> The time, in seconds, that the


informs browsers that the Misconfigure
browser should remember that a site is only to be
Strict-Transport-Security MITM
5 site should only be accessed accessed using HTTPS.
SSL/TLS Stripping attacks
includeSubDomains -> rule applies to all of the
using HTTPS site's subdomains as well Cookie hijacking attacks

no-referrer -> not include any Misconfigure

sent requests do not referrer information CSRF


6 Referrer-Policy no-referrer-when-downgrade ->
include any referrer Privacy attacks
Don't send the Referer header for
information Information
requests to less secure destinations

(HTTPS →HTTP, HTTPS→file) disclosure attacks


HADESS.IO
۱
HADESS

No Name Description Policies Attacks

no-cache -> response must be validated

7 control caching in browsers with the origin server before each reuse Misconfigure
Cache-Control no-store -> response directive indicates
and shared caches Cache Inspection
that any caches of any kind (private or

shared) should not store this response. Cache Deception

response header is a header Misconfigure


inline
8 indicating if the content is XSS
attachment
Content-Disposition
expected to be displayed filename="filename.jpg" clickjacking

RFD
inline in the browser
same-site -> Only requests from the

same Site can read the resource. Misconfigure


protection against certain
9 same-origin -> requests from the same
Cross-Origin-Resource-Policy XSS
requests from other origins origin (i.e. scheme + host + port)
Virtual Patching Heatmap

cross-origin -> any origin (both same- clickjacking

Attacks Heatmap
site and cross-site) can read the resource

Misconfigure
X-Rate-Limit: Control Limit of request
10 Http Header Injection
X-* Extra HTTP Header X-Origin -> Origin of requests

X-Forwarded-IP -> Change Real IP Cache Deception

Ratelimit Bypass

lists any encodings that have


gzip

Content-Encoding been applied to the compress DDoS


11
deflate Network eavesdropping
representation (message
br
payload), and in what order

Misconfigure
whether the response can * XSS
12 Access-Control-Allow-Origin <origin>
be shared with requesting Host Header Injection
null Cache Poisoning
code from the given origin

Misconfigure
specifies one or more POST, GET, OPTIONS
13 Access-Control-Allow-Methods
CSRF
*
methods allowed
XSS

You might also like