What are some common security headers and their purpose?
TL;DR
Security headers are HTTP response headers that help protect web applications from various attacks. Some common security headers include:
Content-Security-Policy (CSP)
: Prevents cross-site scripting (XSS) and other code injection attacks by specifying allowed content sources.X-Content-Type-Options
: Prevents MIME type sniffing by instructing the browser to follow the declaredContent-Type
.Strict-Transport-Security (HSTS)
: Enforces secure (HTTPS) connections to the server.X-Frame-Options
: Prevents clickjacking by controlling whether a page can be displayed in a frame.X-XSS-Protection
: Enables the cross-site scripting (XSS) filter built into most browsers.Referrer-Policy
: Controls how much referrer information is included with requests.
Common security headers and their purpose
Content-Security-Policy (CSP)
The Content-Security-Policy
header helps prevent cross-site scripting (XSS) and other code injection attacks by specifying which content sources are allowed to be loaded on the web page. For example:
Content-Security-Policy: default-src 'self'; img-src 'self' https://example.com; script-src 'self' 'unsafe-inline'
This policy allows content to be loaded only from the same origin ('self'
), images from the same origin or https://example.com
, and scripts from the same origin or inline scripts.
X-Content-Type-Options
The X-Content-Type-Options
header prevents MIME type sniffing by instructing the browser to follow the declared Content-Type
. This helps mitigate attacks based on content type misinterpretation. The most common value is nosniff
:
X-Content-Type-Options: nosniff
Strict-Transport-Security (HSTS)
The Strict-Transport-Security
header enforces secure (HTTPS) connections to the server. It instructs the browser to only interact with the site using HTTPS, even if the user attempts to access it via HTTP. For example:
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
This policy tells the browser to enforce HTTPS for one year (max-age=31536000
), including all subdomains (includeSubDomains
), and allows the site to be included in browsers' HSTS preload lists (preload
).
X-Frame-Options
The X-Frame-Options
header prevents clickjacking by controlling whether a page can be displayed in a frame. Common values are DENY
and SAMEORIGIN
:
X-Frame-Options: DENY
This policy prevents the page from being displayed in a frame, iframe, or object.
X-XSS-Protection
The X-XSS-Protection
header enables the cross-site scripting (XSS) filter built into most browsers. It can block pages or sanitize scripts that appear to be malicious. For example:
X-XSS-Protection: 1; mode=block
This policy enables the XSS filter and instructs the browser to block the page if an attack is detected.
Referrer-Policy
The Referrer-Policy
header controls how much referrer information is included with requests. It helps protect user privacy and can prevent information leakage. Common values include no-referrer
, no-referrer-when-downgrade
, and strict-origin-when-cross-origin
:
Referrer-Policy: no-referrer
This policy ensures that no referrer information is sent with requests.