The cases of hacking have been on an upward trajectory forcing website owners and developers to come up with advanced solutions for threats mitigation. The use of HTTP security headers is one of the ways website owners are using to protect their public-available sites from hackers. When properly implemented, the HTTP headers can protect your website from various threats that range from clickjacking, cross-site scripting, downloads attacks and code injection among other threats. So much so, that the OWASP project have setup the OWASP Security Headers Project, with the sole purpose of raising awareness for HTTP security headers, which are typically only brought to lite during a website security audit. Therefore, it is important for every website owner to understand what are HTTP security headers including the most used HTTP headers. In addition to understanding the different headers, it is also helpful for the website owners to understand their method of mitigation threats as well as their configurations.
In depth look at the common HTTP security headers:
Content-security Policy (CSP)
Generally, the browsers are designed to trust all elements and contents of a website including the style sheets, site pages, javascript files and fonts among others. The trust aspect means that the browsers load and executes all website content without any form of authentication. The lack of authentication means that the hackers can exploit the browser behavior to run malicious codes on the target browser. Content-security policy helps to address the vulnerability by defining the approved contents for websites. The policy ensures that the browsers only load and execute the approved content and thus, prevent various attacks including code injection and cross-site scripting attacks.
X Frame Options
The X Frame header directs browsers how to behave when handling website contents. The X Frame options protect sites against click-jacking attacks by directing the browser whether the page should be opened in a frame or an iframe. The X frame options are currently supported by Chrome 4.1+, IE 8+, Opera 10.5+, Firefox 3.6.9+ and Safari 4+. The X Frame options support three settings that include SAMEORIGIN, DENY and ALLOW-FROM uri.
Strict Transport Layer security (HSTS)
Most sites use the HTTPS protocol to secure the exchange of a user’s data over the web. Although the protocol is highly effective, it is possible for it to be downgraded to HTTP compromising the confidentiality of data. The HSTS prevents the protocol from being downgraded to HTTP by an attacker or a legitimate user and subsequently prevent eavesdropping of data. It also prevents cookie hijacking.
X-Content-Type Options
The X-Content-Type options help to improve the safety of the website by disabling the MIME sniffing feature available in some browsers. Although the purpose of sniffing is to let browsers know whether the requested file is different from the documented file, hackers can take advantage of the feature to conduct cross-site scripting attacks.
X-XSS Protection
The X-XSS protection helps to protect sites against cross-site scripting attacks. The X-XSS header is necessary if the website does not have the CSP policy in place.
Conclusion
There is absolutely no reason why every website should not use the HTTP security headers. The HTTP headers are easy to implement and play an important role in protecting your website and user’s data from hackers. Nevertheless, you should make sure that the safety headers are set in the right way and up to date to cut down on the threats.