Quiz Questions

What are some common security headers and their purpose?

Topics
JAVASCRIPTSECURITY
Edit on GitHub

TL;DR

Security headers are HTTP response headers that help protect web applications from various attacks. Some common security headers include:

  • Content-Security-Policy (CSP): Prevents cross-site scripting (XSS) and other code injection attacks by specifying allowed content sources.
  • X-Content-Type-Options: Prevents MIME type sniffing by instructing the browser to follow the declared Content-Type.
  • Strict-Transport-Security (HSTS): Enforces secure (HTTPS) connections to the server.
  • X-Frame-Options: Prevents clickjacking by controlling whether a page can be displayed in a frame.
  • X-XSS-Protection: Enables the cross-site scripting (XSS) filter built into most browsers.
  • Referrer-Policy: Controls how much referrer information is included with requests.

Common security headers and their purpose

Content-Security-Policy (CSP)

The Content-Security-Policy header helps prevent cross-site scripting (XSS) and other code injection attacks by specifying which content sources are allowed to be loaded on the web page. For example:

Content-Security-Policy: default-src 'self'; img-src 'self' https://example.com; script-src 'self' 'unsafe-inline'

This policy allows content to be loaded only from the same origin ('self'), images from the same origin or https://example.com, and scripts from the same origin or inline scripts.

X-Content-Type-Options

The X-Content-Type-Options header prevents MIME type sniffing by instructing the browser to follow the declared Content-Type. This helps mitigate attacks based on content type misinterpretation. The most common value is nosniff:

X-Content-Type-Options: nosniff

Strict-Transport-Security (HSTS)

The Strict-Transport-Security header enforces secure (HTTPS) connections to the server. It instructs the browser to only interact with the site using HTTPS, even if the user attempts to access it via HTTP. For example:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

This policy tells the browser to enforce HTTPS for one year (max-age=31536000), including all subdomains (includeSubDomains), and allows the site to be included in browsers' HSTS preload lists (preload).

X-Frame-Options

The X-Frame-Options header prevents clickjacking by controlling whether a page can be displayed in a frame. Common values are DENY and SAMEORIGIN:

X-Frame-Options: DENY

This policy prevents the page from being displayed in a frame, iframe, or object.

X-XSS-Protection

The X-XSS-Protection header enables the cross-site scripting (XSS) filter built into most browsers. It can block pages or sanitize scripts that appear to be malicious. For example:

X-XSS-Protection: 1; mode=block

This policy enables the XSS filter and instructs the browser to block the page if an attack is detected.

Referrer-Policy

The Referrer-Policy header controls how much referrer information is included with requests. It helps protect user privacy and can prevent information leakage. Common values include no-referrer, no-referrer-when-downgrade, and strict-origin-when-cross-origin:

Referrer-Policy: no-referrer

This policy ensures that no referrer information is sent with requests.

Further reading

Edit on GitHub