loader image

HTTP Security Headers – 5 Must Have Headers To Boost Your Website Security

HTTP security headers are a fundamental part of website security and should be of top priority to everyone who publishes anything on the internet. Once the headers have been implemented, they protect your website from the most common types of attack. These are XSS, code injection and click-jacking attacks (amongst others). The sad truth is, security headers are often overlooked in website audits and it’s a big oversight. This involves the security of your site visitors and your customers… how would you feel if the situation were reversed? It could be really damaging to your Brand if things go south. But the good news is, security headers are relatively simple to configure and will provide another layer of protection to help keep your website, and its visitors, safe.  

HTTP Security Headers make your website safer for everyone.


We encourage you to check your website free of charge right now by visiting Security Headers. They will grade your website from A+ to F. Prepare yourself, you might be in for a shock. This is a fast way of gauging how skilled your website developer is and how secure your web server and website platform is all at the same time. Why not type in your web developer or marketing agencies domain name and see how well protected they are too? For reference, here is ours:

 

Check your Website Security Headers


Here are the headers from our website, granted just an extract, but enough to see what they look like in action. Any modern web browser can reveal these by simply inspecting the page code and viewing the network information.

 

http security headers extra viewfule.com

 

So, now you’ve seen your website’ grade and where the headers live. It’s time to discover what they are, why they matter and how to add them. Here are five HTTP security headers that you should consider implementing on your website ASAP. There are many more headers, but these cover the basics. Please note, each one needs to be tailoured especially to your website and should not be copy and pasted from our examples. So we encourage you to reach out to your website developer for them to be safely implemented – or just ask us.

 

  1. HTTP Strict Transport Security (HSTS)

  2. Content Security Policy (CSP)

  3. X-Content-Type-Options

  4. X-Frame-Options

  5. Permissions-Policy

 

 

HTTP Strict Transport Security (HSTS)

The HTTP Strict Transport Security (HSTS) header tells the web browser that the entire website should only be accessed by a secure HTTPS protocol. Most websites only implement a 301 redirect from HTTP to HTTPS which simply isn’t secure enough. It’s very easy to intercept it with what’s called a ‘man in the middle’ attack. HSTS totally prevents this and forces HTTPS every time and for every session. This ensures the connection cannot be established through an insecure HTTP connection which could be susceptible to attacks. All modern web browsers support HTTP strict transport security except for Internet Explorer and some lesser browsers so this is highly effective and widely compatible.

Here is an example of what the header looks like. You can include the max age, subdomains, and preload:

  • Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Content Security Policy (CSP)

A content security policy (CSP) helps prevent attacks such as Cross Site Scripting (XSS) and other code injection attacks. It achieves this by defining content sources that are ‘approved’ and by doing so, allowing the browser to load them. All modern browsers currently offer full or partial support for content security policy and it won’t impact the delivery of the content if it’s loaded on an older web browser, it will simply not execute it.

There are many directives that you can use with Content-Security-Policy. The example below allows scripts from both the current domain which is defined by ‘self’ as well as AnaTrix the VIEWFULE Analytics Suite:

  • Content-Security-Policy: script-src ‘self’ https://www.analytics.viewfule.com

 

X-Content-Type-Options

The X-Content-Type-Options header prevent the web browser from ‘sniffing’ a response away from the declared Content-Type. This helps reduce the danger of drive-by downloads and helps serve the content the way you intended. Sniffing allows the browser to figure out what the element is (an image, text, etc) and then render that element. Hackers however will try to trick the web browser into thinking that a harmful JavaScript file is actually an image (for example), allowing the browser to download the file and then subsequently execute that file.

This is bad news for a site visitor, as it can lead to a ‘drive by download attack’. This is when there is an unintentional download of malicious code to your computer or mobile device that leaves you open to a cyber-attack.

Here is an example of what the header looks like with a simple directive:

  • X-Content-Type-Options: nosniff

X-Frame-Options

The X-Frame-Options security header helps stop click-jacking attacks. Click jacking is when a site visitor is tricked into clicking on a link or button (amongst others) which doesn’t do what they believed it would. This can be used, for example, to steal login credentials or to get the user’s permission, completely without their knowledge, to install a piece of malware. Thankfully this problem is very easy to address with this security header and is compatible with all web browsers since Internet Explorer 8.

Here is an example of what the header looks like with a simple directive:

  • X-Frame-Options: SAMEORIGIN

Permissions-Policy

Permissions Policy is a new header, formerly known as the Features Policy. It allows a website to control which features and APIs can be used in the browser. This is achieved by communicating whether or not features such as the Webcam, Speakers or USB access will be required as a part of the website experience (amongst others). By clearly defining these on the header, you are able to broadcast your intentions and be far more transparent with your site visitors.

Here is an example of what the header looks like with a simple directive:

  • Permissions-Policy: camera=(); speaker=(); usb=();

Your next steps.

At VIEWFULE, we take our clients website security seriously. HTTP Security headers are one tool we use to achieve this and when combined with a Premium SSL Certificate – it shows confidence and skill that you know how to keep your website secure for visitors and customers alike. Implementing them is specific to each website and impacts whether they use an online shop or make use of external sources. The web server that’s used also matters and varies depending on whether you’re using Apache, NGINX or Litespeed. So reach out for your FREE consultation and we’ll talk through implementing these security headers, specific to your use case, on your website.

Read More