What Are Security Headers?

• Security headers are directives browsers must follow that are passed along through the HTTP header
response.
• An HTTP header is a response by a web server to a browser that is trying to access a web page.
• The header response communicates things such as when the web page does not exist (400 response
header).

Why Use Security Headers?

• Automated bot software are constantly probing and testing websites for security weaknesses.
• These vulnerabilities can be introduced by the content management system, by the JavaScript library
used to add functionality, and for security weaknesses introduced by a plugin or a theme.
• Websites that use security headers are said to be hardened against security threats.
• While a website can get along without using security headers by keeping its components up to date
and using security plugins, doing so needlessly exposes the website and the site visitors to security
risks.

Security headers are a crucial aspect of web security, serving as an additional layer of protection against various
types of cyber threats. They are HTTP headers that can be added to web server responses to provide specific
instructions to the web browser regarding how to handle the content and interactions with the website. Below is
an overview of some commonly used security headers:

1. Content Security Policy (CSP):

• Purpose: Mitigates the risk of cross-site scripting (XSS) attacks.
• Usage: Specifies which sources of content (e.g., scripts, styles, images) are considered legitimate.
This helps prevent the execution of malicious scripts.
2. Strict-Transport-Security (HSTS):
• Purpose: Forces the browser to communicate with the server over HTTPS, reducing the risk of man-
in-the-middle attacks.
• Usage: The server instructs the browser to always connect via HTTPS, preventing users from
accessing the site over unencrypted HTTP.
3. X-Content-Type-Options:
• Purpose: Prevents browsers from interpreting files as a different MIME type than declared by the
server, reducing the risk of MIME-sniffing attacks.
• Usage: Set to "nosniff" to ensure browsers follow the declared content type.
4. X-Frame-Options:
• Purpose: Protects against clickjacking attacks by preventing the site from being embedded in an
iframe.
• Usage: Set to "DENY" to disallow framing or to "SAMEORIGIN" to allow framing only by pages
from the same origin.
5. Referrer-Policy:
• Purpose: Controls how much information is included in the HTTP Referer header when navigating
from one page to another.
• Usage: Set to "no-referrer" to ensure that no referrer information is sent, or "strict-origin-when-
cross-origin" for a stricter policy.
6. Feature-Policy:
• Purpose: Allows a site to control which web platform features are permitted or restricted.
• Usage: Specifies a list of features and their respective policies, limiting potential security risks
associated with certain features.
7. Expect-CT:

©Prof Sneha Dalvi

 • Purpose: Enforces Certificate Transparency, ensuring that the browser only connects to websites
with valid and logged SSL/TLS certificates.
• Usage: Informs the browser to enforce the Certificate Transparency policy.
8. Public-Key-Pins (HPKP) (Deprecated):
• Purpose: Pins a set of public keys, protecting against man-in-the-middle attacks using fraudulent
certificates.

Implementing and configuring these security headers appropriately can significantly enhance the overall security
posture of a web application. Regular security audits and staying informed about best practices are crucial to
maintaining an effective security header strategy. It's also important to note that the effectiveness of security
headers depends on proper configuration and continuous monitoring for emerging security threats and changes in
web standards.

©Prof Sneha Dalvi

Example

©Prof Sneha Dalvi