Making use of HTTP security headers

When a browser makes a request for a website it must include a number of headers. There are just small instructions from the browser which the web server will then interpret and respond accordingly. This response will include its own set of headers which the browser will then understand and must then follow, some of these headers will be strictly related to security.

What are the security headers?

There are a number of security headers but the main 3 which we’ll look at are;

Content Security Policy

The content security policy header is used to inform the browser what types of content can be run on the requested webpage, additionally, it confirms trusted locations for which content can be loaded. Simply put, this prevents JavaScript code from running which is located on an un-trusted domain, this helps prevent cross site scripting. Here’s an example of a content security policy header.

content-security-policy: default-src 'none'; script-src 'self'

X Frame Options

This header is very simple but can be quite effective in protecting the users of a website. In its most basic form, the x-frame-options header is used to inform a browser whether or not it should be allowed to render a page in a frame, iframe, embed or object. Here’s an example of how you would prevent the page from rendering an iframe.

X-Frame-Options: DENY

Strict Transport Security

The strict transport security header is used to inform browsers that the website should only be accessed using HTTPS. Additionally, it will also tell the browser that any future requests should be automatically converted to HTTPS rather than HTTP. Here’s an example of a strict transport policy header in operation.

strict-transport-security: max-age=63072000 

Enabling security headers on Apache and Ngnix

With the ever-growing list of web server software, enabling security headers can often take some research on your part. The two main web servers in use today are Apache and Nginx and so I have gone and included some simple examples of how you could add additional headers to any server responses. Please note, we’d highly recommend referring to official documentation so that you’re able to correctly implement these.

On Apache enabling security headers is actually very straightforward, simply add the required header information to the .htaccess file, here’s a simple example.

Header always set Content-Security-Policy "default-src 'self'
Header always set X-Frame-Options SAMEORIGIN
Header always set Strict-Transport-Security max-age=10886400

Here’s a link for the official Apache documentation: https://httpd.apache.org/docs/2.4/mod/mod_headers.html

As for Ngnix, enabling security headers can be a little more of a task given you need to add the following information into the configuration file, this file can usually be found at the following location /etc/ngnix/nginx.conf. To add headers to your server responses you would need to add the following lines, ensure you refer to the official documentation for correct implementation.

add_header Strict-Transport-Security "max-age=10886400;"
add_header Content-Security-Policy "default-src 'self';"
add_header X-Frame-Options "SAMEORIGIN";

Here’s a link for the official Nginx documentation: http://nginx.org/en/docs/beginners_guide.html

Article written by – arcan3

Spread the love

Tags: