Categories
Security HTTP Headers
Last few years a bunch of new HTTP headers were added to the web platform. The purpose of this blog post is to discuss the most critical headers from a security perspective.
- X-Frame-Options
- X-XSS-Protection
- X-Content-Type-Options
- Strict-Transport-Security
- Content-Security-Policy
- Access-Control-Allow-Origin
- Public-Key-Pins
- Referrer-Policy
- Expect-CT
- Feature-Policy
- Permissions-Policy
- Clear-Site-Data
- Cross-Origin-Resource-Policy
- Cross-Origin-Embedder-Policy
- Cross-Origin-Opener-Policy
X-Frame-Options
This http header helps avoiding clickjacking attacks. Browser support is as follow: IE 8+, Chrome 4.1+, Firefox 3.6.9+, Opera 10.5+, Safari 4+. Posible values are:
- deny
- browser refuses to display requested document in a frame
- sameorigin
- browser refuses to display requested document in a frame, in case that origin does not match
- allow-from: DOMAIN
- browser displays requested document in a frame only if it loaded from DOMAIN
// Raw header X-Frame-Options: sameorigin // How to send the response header with PHP header("X-Frame-Options: sameorigin"); // How to send the response header with Apache (.htaccess) <IfModule mod_headers.c> Header set X-Frame-Options "sameorigin" </IfModule> // How to send the response header with Express.js app.use(function(req, res, next) { res.header("X-Frame-Options", "sameorigin"); next(); });

Note: The Content-Security-Policy
HTTP header has a frame-ancestors
directive which obsoletes this header for supporting browsers.
X-XSS-Protection
Use this header to enable browser built-in XSS Filter. It prevent cross-site scripting attacks. X-XSS-Protection header is supported by IE 8+, Opera, Chrome, and Safari. Available directives:
- 0
- disables the XSS Filter
- 1
- enables the XSS Filter. If a cross-site scripting attack is detected, in order to stop the attack, the browser will sanitize the page.
- 1; mode=block
- enables the XSS Filter. Rather than sanitize the page, when a XSS attack is detected, the browser will prevent rendering of the page.
- 1; report=<reporting-URI>
- enables the XSS Filter. If a cross-site scripting attack is detected, the browser will sanitize the page and report the violation.
// Raw header X-XSS-Protection: 1; mode=block // How to send the response header with PHP header("X-XSS-Protection: 1; mode=block"); // How to send the response header with Apache (.htaccess) <IfModule mod_headers.c> Header set X-XSS-Protection "1; mode=block" </IfModule> // How to send the response header with Express.js app.use(function(req, res, next) { res.header("X-XSS-Protection", "1; mode=block"); next(); });
X-Content-Type-Options
This http header is supported by IE and Chrome, and prevents attacks based on
MIME-type mismatch. The only possible value is nosniff
. If your
server returns X-Content-Type-Options: nosniff in
the response, the browser will refuse to load the styles and scripts in case
they have an incorrect MIME-type. The list with available MIME-types for styles
and scripts is as follow:
- Styles
-
- text/css
- Scripts
-
- application/ecmascript
- application/javascript
- application/x-javascript
- text/ecmascript
- text/javascript
- text/jscript
- text/x-javascript
- text/vbs
- text/vbscript
// Raw header X-Content-Type-Options: nosniff // How to send the response header with PHP header("X-Content-Type-Options: nosniff"); // How to send the response header with Apache (.htaccess) <IfModule mod_headers.c> Header set X-Content-Type-Options "nosniff" </IfModule> // How to send the response header with Express.js app.use(function(req, res, next) { res.header("X-Content-Type-Options", "nosniff"); next(); });
So if you try to load for example a HTML document as external script resource
(the src
attribute of HTMLScriptElement), the browser will refuse it.

Strict-Transport-Security
To take advantage of this security header, the current webpage must be accessed over HTTPS. In this case the Strict-Transport-Security header force secure connections to the server. This prevents losing session data stored in cookies. Also prevents users to access website in case the server's TLS certificate is not trusted. Browser support: IE 11+, Chrome 4+, Firefox 4+, Opera 12+, Safari 7+. Accepts following directives:
- max-age
- Required. The number of seconds that browser should force the connection over HTTPS.
- includeSubDomains
- Optional. If present, tells to the browser that the policy applies to current host and to all host's subdomains.
- preload
- Optional. Not part of the specification.
// Raw header Strict-Transport-Security: max-age=31536000 // or Strict-Transport-Security: max-age=31536000; includeSubDomains // How to send the response header with PHP header("Strict-Transport-Security: max-age=31536000"); // How to send the response header with Apache (.htaccess) <IfModule mod_headers.c> Header set Strict-Transport-Security "max-age=31536000" </IfModule> // How to send the response header with Express.js app.use(function(req, res, next) { res.header("Strict-Transport-Security", "max-age=31536000"); next(); });
Content-Security-Policy
This header could affect your website in many ways, so be careful when using it. The configuration below allows loading scripts, XMLHttpRequest (AJAX), images and styles from same domain and nothing else. Browser support: Edge 12+, Firefox 4+, Chrome 14+, Safari 6+, Opera 15+
Few notes: IE 10 and 11 supports CSP through the X-Content-Security-Policy header; Safari 5.1 supported through the X-Webkit-CSP header.
// Raw header Content-Security-Policy: default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self'; // How to send the response header with PHP header("Content-Security-Policy: default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self';"); // How to send the response header with Apache (.htaccess) <IfModule mod_headers.c> Header set Content-Security-Policy "default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self';" </IfModule> // How to send the response header with Express.js app.use(function(req, res, next) { res.header("Content-Security-Policy", "default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self';"); next(); });
Access-Control-Allow-Origin
The Access-Control-Allow-Origin is part of the cross-origin resource sharing specification which we discussed recently.
Public-Key-Pins
The Public Key Pinning Extension for HTTP (HPKP) is a security feature that tells a web client to associate a specific cryptographic public key with a certain web server to prevent man-in-the-middle attacks with forged certificates. Currently, the HPKP header is deprecated and its support was removed.
Referrer-Policy
Controls the value of Referer header sent with the additional requests for resources from a web page.
Firefox 36+ and Opera 15+ had a full support of the specification.
Edge 12+ and Safari 7.1+ supports the older draft of the spec with never
, always
, origin
and default
values.
Chrome 21+ does not support same-origin
, strict-origin
and strict-origin-when-cross-origin
values.
Valid values are as follow:
- ""
- An empty string is considered to no referrer policy, i.e. referrer fallbacks to policy defined elsewhere.
- no-referrer
- Means that no referrer information is sent along the requests.
- no-referrer-when-downgrade
- The referrer is sent to requests with better or same security (HTTP to HTTPS, HTTPS to HTTPS, HTTP to HTTP), but not less (HTTPS to HTTP). This is the default policy.
- same-origin
- The referrer header is sent only to same-origin requests. A request is with same-origin when the URL scheme, hostname and port of the source and destination matches.
- origin
- Browsers will always send the referrer header, but it will contain only the origin. The pathname and query string will be stripped-off.
- strict-origin
- The referrer header consists of only the origin and is sent to requests with better or same but not less security.
- origin-when-cross-origin
- The referrer is always sent, but contain only the origin if a request is cross-origin. Otherwise, the full URL is sent.
- strict-origin-when-cross-origin
- Browsers send only the origin as a referrer to cross-origin requests and the full URL to those with same-origin, but no referrer is sent to less secure destinations.
- unsafe-url
- A full URL, without parameters, is sent along both the same-origin and cross-origin requests.
// Raw header Referrer-Policy: origin-when-cross-origin // PHP header("Referrer-Policy: origin-when-cross-origin"); // Apache <IfModule mod_headers.c> Header set Referrer-Policy "origin-when-cross-origin" </IfModule> // nginx add_header Referrer-Policy "origin-when-cross-origin" // Express.js app.use(function(req, res, next) { res.header("Referrer-Policy", "origin-when-cross-origin"); next(); });
Expect-CT
Certificate Transparency policy means that user-agents, e.g. browsers should block an access
to a website with a certificate that is not registered in public CT logs (after October 2017).
Omitting the enforce
directive will make it work only in report-only mode. In the
other side, the report-uri
directive is meaningless when used together with the
enforce
directive.
- max-age
- The time, in seconds, that the user-agent should regard the host received as an Expect-CT Host.
- report-uri
- An optional directive that indicates the URI to which the user-agent should report Expect-CT failures.
- enforce
- An optional, valueless directive that, if present, signals to the user-agent to block future requests that violate the CT policy.
// Raw header Expect-CT: max-age=7776000, enforce, report-uri="http://domain.com/ct-report" // PHP header("Expect-CT: max-age=7776000, enforce"); // Apache <IfModule mod_headers.c> Header set Expect-CT "max-age=7776000, enforce" </IfModule> // nginx add_header Expect-CT "max-age=7776000, enforce" // Express.js app.use(function(req, res, next) { res.header("Expect-CT", "max-age=7776000, enforce"); next(); });
Feature-Policy
The Feature-Policy header gives a site owners an opportunity to enable and disable specific browser features and APIs. This is a list of currently supported features:
- accelerometer
- ambient-light-sensor
- autoplay
- camera
- cookie
- docwrite
- domain
- encrypted-media
- fullscreen
- geolocation
- gyroscope
- magnetometer
- microphone
- midi
- payment
- picture-in-picture
- speaker
- sync-script
- sync-xhr
- unsized-media
- usb
- vertical-scroll
- vibrate
- vr
NB » Recently, this header was renamed to Permissions-Policy in the spec.
To control the origins use the following values:
- *
- Any origin have an access to this feature.
- 'self'
- Only the same-origin have an access to this feature. This is the default behavior.
- 'none'
- None origin have an access to this feature.
- <origin(s)>
- Only the specified origins have an access to this feature.
Feature-Policy: camera 'none'; fullscreen 'self'; geolocation *; microphone 'self' https://example.com
Permissions-Policy
This specification used to be named Feature Policy. This is a list of currently policy-controlled features:
- accelerometer
- ambient-light-sensor
- autoplay
- battery
- camera
- cross-origin-isolated
- display-capture
- document-domain
- encrypted-media
- execution-while-not-rendered
- execution-while-out-of-viewport
- fullscreen
- geolocation
- gyroscope
- magnetometer
- microphone
- midi
- navigation-override
- payment
- picture-in-picture
- publickey-credentials-get
- screen-wake-lock
- sync-script
- sync-xhr
- usb
- vertical-scroll
- web-share
- xr-spatial-tracking
Permissions-Policy: camera=(), fullscreen=self, geolocation=*, microphone=(self "https://example.com")
Clear-Site-Data
The Clear-Site-Data header clears browser data for requested origin. The following directives are supported:
- "*" (wildcard)
- clear all types of data
- "cache"
- clears browser cache
- "cookies"
- clear all browser cookies on entire domain, including subdomains
- "storage"
- clear all DOM storage, including localStorage, sessionStorage, IndexedDB, AppCache, WebSQL, Server Workers
- "executionContexts"
- reload all browsing contexts
Clear-Site-Data: "cache", "cookies", "storage"
Cross-Origin-Resource-Policy
The HTTP Cross-Origin-Resource-Policy response header conveys a desire that the browser blocks no-cors cross-origin/cross-site requests to the given resource. Supported directives are:
- same-site
- same-origin
- cross-origin
Cross-Origin-Resource-Policy: same-site
Cross-Origin-Embedder-Policy
The HTTP Cross-Origin-Embedder-Policy (COEP) response header prevents a document from loading any cross-origin resources that don't explicitly grant the document permission (using CORP or CORS). Supported directives are:
- unsafe-none
- This is the default value. Allows the document to fetch cross-origin resources without giving explicit permission through the CORS protocol or the Cross-Origin-Resource-Policy header.
- require-corp
- A document can only load resources from the same origin, or resources explicitly marked as loadable from another origin.
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy
The HTTP Cross-Origin-Opener-Policy (COOP) response header allows you to ensure a top-level document does not share a browsing context group with cross-origin documents. Supported directives are:
- unsafe-none
- This is the default value. Allows the document to be added to its opener's browsing context group unless the opener itself has a COOP of
same-origin
orsame-origin-allow-popups
. - same-origin-allow-popups
- Retains references to newly opened windows or tabs which either don't set COOP or which opt out of isolation by setting a COOP of
unsafe-none
. - same-origin
- Isolates the browsing context exclusively to same-origin documents. Cross-origin documents are not loaded in the same browsing context.
Cross-Origin-Opener-Policy: same-origin
Big players as Google+, Facebook, Twitter, LinkedIn use the above HTTP headers as an additional layer on a defence of their architecture. So it's strongly recommended the use of security HTTP headers to make your website safer and resist of attacks. Do you want to know how secure is your website? Let's find out with a quick scan of your server response using our Headers Inspector tool.
Thanks so much for reading! If you have questions about HTTP security please drop a comment below. Don't forget to share too.
Subscribe to our newsletter
Join our mailing list and stay tuned! Never miss out news about Zino UI, new releases, or even blog post.
0 Comments
Comments are closed