Security HTTP Headers

Last few years a bunch of new HTTP headers were added to the web platform. The purpose of this blog post is to discuss the most critical headers from a security perspective.

• X-Frame-Options
• X-XSS-Protection
• X-Content-Type-Options
• Strict-Transport-Security
• Content-Security-Policy
• Access-Control-Allow-Origin
• Public-Key-Pins
• Referrer-Policy
• Expect-CT
• Feature-Policy
• Clear-Site-Data

X-Frame-Options

This http header helps avoiding clickjacking attacks. Browser support is as follow: IE 8+, Chrome 4.1+, Firefox 3.6.9+, Opera 10.5+, Safari 4+. Posible values are:

deny

browser refuses to display requested document in a frame

sameorigin

browser refuses to display requested document in a frame, in case that origin does not match

allow-from: DOMAIN

browser displays requested document in a frame only if it loaded from DOMAIN

// Raw header
X-Frame-Options: sameorigin

// How to send the response header with PHP
header("X-Frame-Options: sameorigin");

// How to send the response header with Apache (.htaccess)
<IfModule mod_headers.c>
    Header set X-Frame-Options "sameorigin"
</IfModule>

// How to send the response header with Express.js
app.use(function(req, res, next) {
    res.header("X-Frame-Options", "sameorigin");
    next();
});

X-XSS-Protection

Use this header to enable browser built-in XSS Filter. It prevent cross-site scripting attacks. X-XSS-Protection header is supported by IE 8+, Opera, Chrome, and Safari. Available directives:

0

disables the XSS Filter

1

enables the XSS Filter. If a cross-site scripting attack is detected, in order to stop the attack, the browser will sanitize the page.

1; mode=block

enables the XSS Filter. Rather than sanitize the page, when a XSS attack is detected, the browser will prevent rendering of the page.

1; report=<reporting-URI>

enables the XSS Filter. If a cross-site scripting attack is detected, the browser will sanitize the page and report the violation.

// Raw header
X-XSS-Protection: 1; mode=block

// How to send the response header with PHP
header("X-XSS-Protection: 1; mode=block");

// How to send the response header with Apache (.htaccess)
<IfModule mod_headers.c>
    Header set X-XSS-Protection "1; mode=block"
</IfModule>

// How to send the response header with Express.js
app.use(function(req, res, next) {
    res.header("X-XSS-Protection", "1; mode=block");
    next();
});

X-Content-Type-Options

This http header is supported by IE and Chrome, and prevents attacks based on MIME-type mismatch. The only possible value is nosniff. If your server returns X-Content-Type-Options: nosniff in the response, the browser will refuse to load the styles and scripts in case they have an incorrect MIME-type. The list with available MIME-types for styles and scripts is as follow:

Styles

• text/css

Scripts

• application/ecmascript
• application/javascript
• application/x-javascript
• text/ecmascript
• text/javascript
• text/jscript
• text/x-javascript
• text/vbs
• text/vbscript

// Raw header
X-Content-Type-Options: nosniff

// How to send the response header with PHP
header("X-Content-Type-Options: nosniff");

// How to send the response header with Apache (.htaccess)
<IfModule mod_headers.c>
    Header set X-Content-Type-Options "nosniff"
</IfModule>

// How to send the response header with Express.js
app.use(function(req, res, next) {
    res.header("X-Content-Type-Options", "nosniff");
    next();
});

So if you try to load for example a HTML document as external script resource (the src attribute of HTMLScriptElement), the browser will refuse it.

Strict-Transport-Security

To take advantage of this security header, the current webpage must be accessed over HTTPS. In this case the Strict-Transport-Security header force secure connections to the server. This prevents losing session data stored in cookies. Also prevents users to access website in case the server's TLS certificate is not trusted. Browser support: IE 11+, Chrome 4+, Firefox 4+, Opera 12+, Safari 7+. Accepts following directives:

max-age

Required. The number of seconds that browser should force the connection over HTTPS.

includeSubDomains

Optional. If present, tells to the browser that the policy applies to current host and to all host's subdomains.

preload

Optional. Not part of the specification.

// Raw header
Strict-Transport-Security: max-age=31536000
// or
Strict-Transport-Security: max-age=31536000; includeSubDomains

// How to send the response header with PHP
header("Strict-Transport-Security: max-age=31536000");

// How to send the response header with Apache (.htaccess)
<IfModule mod_headers.c>
    Header set Strict-Transport-Security "max-age=31536000"
</IfModule>

// How to send the response header with Express.js
app.use(function(req, res, next) {
    res.header("Strict-Transport-Security", "max-age=31536000");
    next();
});

Content-Security-Policy

This header could affect your website in many ways, so be careful when using it. The configuration below allows loading scripts, XMLHttpRequest (AJAX), images and styles from same domain and nothing else. Browser support: Edge 12+, Firefox 4+, Chrome 14+, Safari 6+, Opera 15+

Few notes: IE 10 and 11 supports CSP through the X-Content-Security-Policy header; Safari 5.1 supported through the X-Webkit-CSP header.

// Raw header
Content-Security-Policy: default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self';

// How to send the response header with PHP
header("Content-Security-Policy: default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self';");

// How to send the response header with Apache (.htaccess)
<IfModule mod_headers.c>
    Header set Content-Security-Policy "default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self';"
</IfModule>

// How to send the response header with Express.js
app.use(function(req, res, next) {
    res.header("Content-Security-Policy", "default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self';");
    next();
});

Access-Control-Allow-Origin

The Access-Control-Allow-Origin is part of the cross-origin resource sharing specification which we discussed recently.

Public-Key-Pins

The Public Key Pinning Extension for HTTP (HPKP) is a security feature that tells a web client to associate a specific cryptographic public key with a certain web server to prevent man-in-the-middle attacks with forged certificates. Available directives are:

pin-sha256

A Base64 encoded Subject Public Key Information (SPKI) fingerprint.

max-age

The time, in seconds, that the user-agent should remember the host as a Known Pinned Host.

includeSubDomains

An optional directive that signals to the user-agent that the Pinning Policy applies to this Pinned Host as well as any subdomains of the host's domain name.

report-uri

An optional directive that indicates the URI to which the user-agent should report Pin Validation failures.

// Raw
Public-Key-Pins: pin-sha256="d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM="; pin-sha256="E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g="; max-age=604800; includeSubDomains; report-uri="https://example.net/pkp-report"

// PHP
header('Public-Key-Pins: pin-sha256="d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM="; pin-sha256="E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g="; max-age=604800; includeSubDomains; report-uri="https://example.net/pkp-report"');

// Apache
<IfModule mod_headers.c>
    Header set Public-Key-Pins "pin-sha256=\"d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM=\"; pin-sha256=\"E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g=\"; max-age=604800; report-uri=\"https://example.net/pkp-report\""
</IfModule>

// nginx
add_header Public-Key-Pins "pin-sha256=\"d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM=\"; pin-sha256=\"E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g=\"; max-age=604800";

// Express.js
app.use(function(req, res, next) {
    res.header("Public-Key-Pins", 'pin-sha256="d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM="; pin-sha256="E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g="; max-age=604800; includeSubDomains');
    next();
});

Referrer-Policy

Controls the value of Referer header sent with the additional requests for resources from a web page. Firefox 36+ and Opera 15+ had a full support of the specification. Edge 12+ and Safari 7.1+ supports the older draft of the spec with never, always, origin and default values. Chrome 21+ does not support same-origin, strict-origin and strict-origin-when-cross-origin values. Valid values are as follow:

""

An empty string is considered to no referrer policy, i.e. referrer fallbacks to policy defined elsewhere.

no-referrer

Means that no referrer information is sent along the requests.

no-referrer-when-downgrade

The referrer is sent to requests with better or same security (HTTP to HTTPS, HTTPS to HTTPS, HTTP to HTTP), but not less (HTTPS to HTTP). This is the default policy.

same-origin

The referrer header is sent only to same-origin requests. A request is with same-origin when the URL scheme, hostname and port of the source and destination matches.

origin

Browsers will always send the referrer header, but it will contain only the origin. The pathname and query string will be stripped-off.

strict-origin

The referrer header consists of only the origin and is sent to requests with better or same but not less security.

origin-when-cross-origin

The referrer is always sent, but contain only the origin if a request is cross-origin. Otherwise, the full URL is sent.

strict-origin-when-cross-origin

Browsers send only the origin as a referrer to cross-origin requests and the full URL to those with same-origin, but no referrer is sent to less secure destinations.

unsafe-url

A full URL, without parameters, is sent along both the same-origin and cross-origin requests.

// Raw header
Referrer-Policy: origin-when-cross-origin

// PHP
header("Referrer-Policy: origin-when-cross-origin");

// Apache
<IfModule mod_headers.c>
    Header set Referrer-Policy "origin-when-cross-origin"
</IfModule>

// nginx
add_header Referrer-Policy "origin-when-cross-origin"

// Express.js
app.use(function(req, res, next) {
    res.header("Referrer-Policy", "origin-when-cross-origin");
    next();
});

Expect-CT

Certificate Transparency policy means that user-agents, e.g. browsers should block an access to a website with a certificate that is not registered in public CT logs (after October 2017). Omitting the enforce directive will make it work only in report-only mode. In the other side, the report-uri directive is meaningless when used together with the enforce directive.

max-age

The time, in seconds, that the user-agent should regard the host received as an Expect-CT Host.

report-uri

An optional directive that indicates the URI to which the user-agent should report Expect-CT failures.

enforce

An optional, valueless directive that, if present, signals to the user-agent to block future requests that violate the CT policy.

// Raw header
Expect-CT: max-age=7776000, enforce, report-uri="http://domain.com/ct-report"

// PHP
header("Expect-CT: max-age=7776000, enforce");

// Apache
<IfModule mod_headers.c>
    Header set Expect-CT "max-age=7776000, enforce"
</IfModule>

// nginx
add_header Expect-CT "max-age=7776000, enforce"

// Express.js
app.use(function(req, res, next) {
    res.header("Expect-CT", "max-age=7776000, enforce");
    next();
});

Feature-Policy

The Feature-Policy header gives a site owners an opportunity to enable and disable specific browser features and APIs. This is a list of currently supported features:

• accelerometer
• ambient-light-sensor
• autoplay
• camera
• cookie
• docwrite
• domain
• encrypted-media
• fullscreen
• geolocation
• gyroscope
• magnetometer
• microphone
• midi
• payment
• picture-in-picture
• speaker
• sync-script
• sync-xhr
• unsized-media
• usb
• vertical-scroll
• vibrate
• vr

To control the origins use the following values:

*

Any origin have an access to this feature.

'self'

Only the same-origin have an access to this feature. This is the default behavior.

'none'

None origin have an access to this feature.

<origin(s)>

Only the specified origins have an access to this feature.

Feature-Policy: camera 'none'; fullscreen 'self'; geolocation *; microphone 'self' https://example.com

Clear-Site-Data

The Clear-Site-Data header clears browser data for requested origin. The following directives are supported:

"*" (wildcard)

clear all types of data

"cache"

clears browser cache

"cookies"

clear all browser cookies on entire domain, including subdomains

"storage"

clear all DOM storage, including localStorage, sessionStorage, IndexedDB, AppCache, WebSQL, Server Workers

"executionContexts"

reload all browsing contexts

Clear-Site-Data: "cache", "cookies", "storage"

Big players as Google+, Facebook, Twitter, LinkedIn use the above HTTP headers as an additional layer on a defence of their architecture. So it's strongly recommended the use of security HTTP headers to make your website safer and resist of attacks.

HTTP Headers for Wordpress

Make your website more secure by using the HTTP Headers for Wordpress, and never face a cross-origin issue again. Oh yes, it's FREE.

Download HTTP Headers v1.11.0

• HTTP Caching Headers
• AJAX and HTTP Basic Auth
• Cross-Origin Resource Sharing
• jQuery AJAX Headers

• OWASP
• Content Security Policy Reference

Thanks so much for reading! If you have questions about HTTP security please drop a comment below. Don't forget to share too.