In a previous post, I told you about the importance of using HTTPS instead of HTTP. Today I will look at some of the functionality that HTTPS adds in the form of security headers.
Recap on headers
Remember that HTTP and HTTPS are request-response protocols. The user agent (usually a browser) sends a request to the web server. The server sends back a response to the user agent. The HTTP and HTTPS protocols control this request-response communication.
In addition to the actual content, these protocols use headers to pass extra information between the client and the server. There are different kinds of headers:
- General headers apply to both requests and responses.
- Request headers are sent from the user agent to the server.
- Response headers are sent from the server to the user agent.
- Entity headers provide information about the body of the resource, such as its MIME type.
Security headers
Security headers are response headers. They tell the user agent to enable or disable certain security features.
Remember that, like other web technologies, security headers depend on browser support. Some browsers may not support the security feature, and will ignore the instruction.
Security headers are your first line of defence. They are a fundamental part of website security, because they prevent unsafe behaviour.
Two of the most important security headers are:
- HTTP
Strict-Transport-Security
(HSTS). This enforces the use of encrypted HTTPS instead of HTTP. Content-Security-Policy
(CSP). This is the Swiss army knife of security headers. It controls what resources the user agent is allowed to load.
There are also other useful security headers:
X-Frame-Options
(XFO). This controls if a browser is allowed to render a page inside an object like a frames.X-XSS-Protection
. This is a filter for Internet Explorer, to prevent cross-site scripting. Chrome and Safari already have this functionality built into the browser.X-Content-Type-Options
. This prevents MIME sniffing.Expect-CT
. This prevents the use of mis-issued certificates.Referrer-Policy
. This controls what information the browser includes when the user navigates away from a document. It provides additional privacy for users.Feature-Policy
. This is still experimental. It controls the use of features, such as access to the camera or microphone.
How do you set security headers?
There are different ways to set security headers.
The preferred way is to set the security headers as part of the configuration of the web server software. This allows you to configure the headers in one place, and ensure they are set across the entire site. If you are running an Apache web server, for example, you can set them in the .htaccess
file.
If you don't have control over the web server as a whole, you can still control the headers in your web application. How you do this will depend on the technology you use.
Test your site
A good place to start is by checking the current status of your site.
Go to SecurityHeaders.com and type in the URL of the site. The application checks the security headers and rates your site from A+ to F.
If you are interested in a gentle introduction to web application security, subscribe for our weekly Security Spotlight series.