A Guide to HTTP Security Headers

What Are HTTP Security Headers?

HTTP Security Headers establish rules for browsers that are connecting to a web page. Maintaining best practices for HTTP Security Headers provides a more secure browsing experience for users and your website. Modification to these headers could impact the functionality of your website. Ensure that all changes are tested before moving to production. While many headers have straightforward recommended values, there are several (Content-Security-Policy and Feature-Policy) that are configured specific to your website.

Types of HTTP Security Headers:

Content-Security-Policy

Restricts loading of resources (e.g. JavaScript) from untrusted sources. This control helps defend against some web-based attacks.

• Recommended Value: Example value (note this must be customized to what scripts sources will be allowed to run on your website)

  • default-src 'self' allowedsite1.com allowedsite2.com allowedsite3.com;

  • Information on additional configuration options is available here.

X-Permitted-Cross-Domain-Policies

Restricts the loading of resources from other domains different from your website.

• Recommended Value: none

Clear-Site-Data

Clears browsing data.

• Recommended Value: "cache","cookies","storage"

Cross-Origin-Embedder-Policy

Prevents some web-based attacks.

• Recommended Value: require-corp

Cross-Origin-Opener-Policy

Prevents some web-based attacks.

• Recommended Value: same-origin

Cross-Origin-Resource-Policy

Prevents some web-based attacks.

• Recommended Value: same-origin

Cache-Control

Prevents information disclosure through browser cache.

• Recommended Value: no-store, max-age=0

Strict-Transport-Security

Enforce connections over encrypted channels.

• Recommended Value: max-age=31536000 ; includeSubDomains

X-Frame-Options

Prevents some web-based attacks.

• Recommended Value: deny

Expect-CT

Improves likelihood of trusted connections.

• Recommended Value: Note that this security header was deprecated in June 2021 and is being phased out. The following is an example configuration that could be used (be sure to modify the report-uri):

  • Expect-CT: max-age=86400, enforce, report-uri="https://foo.example/report"

X-Content-Type-Options

Prevents some web-based attacks.

• Recommended Value: nosniff

Feature-Policy

Details what features (e.g. webcam / microphone) should be enabled or disabled for a website.

• Recommended Value: Note that this security header is in the process of being deprecated and will be split into Permissions-Policy and Document-Policy. Refer to his link for features that are present in your website and explicitly allow them. Alternatively, select features that should not be allowed.

  • Feature-Policy: <feature> <allow list origin(s)>

Referrer-Policy

Omits referrer information being sent in HTTP requests. This will prevent websites from seeing that users visited them from your website.

• Recommended Value: no-referrer

Sources

https://owasp.org/www-project-secure-headers

https://content-security-policy.com/

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy