What are security headers?
Security headers are HTTP response headers that relating to how the user’s browser interacts with the website and can prevent a number of attacks. Preventable attacks include direct attacks such as Cross-Site-Scripting (XSS) or ClickJacking, along with many others that can indirectly affect privacy and security.
Why do I need security headers?
HTTP Security Headers are necessary for all modern web applications. Pen-tests of a web applications may happen once a year and as development teams may release more frequently. Therefore, security headers can prevent XSS attacks which may be introduced in releases.
Which security headers do I need to implement?
Strict Transport Security (HSTS)
The HSTS header enforces browsers to access the server by a secured (HTTPS) connection only preventing session hijacking attacks. The max age should be at least 1 year (31536000 seconds) but our web app pentesting team recommend the following HSTS value:max-age=63072000
X-Frame-Options
The X-Frame-Options header is an older header useful for older browsers and prevents ClickJacking attacks. It stops the pages of the website being loaded in an iframe. Additionally, you should also set the Content-Security-Policy frame-ancestors to protect against other iframe loading attacks. The header should be set as:DENY
X-XSS-Protection
The X-XSS-Protection security header was a feature of Internet Explorer, Safari , and Chrome which should stop pages from loading when it detects a cross-site scripting (XSS) attack. However, most detections do not work as expected, modern browsers will use Content-Security-Policy that disables the use of inline JavaScript is set correctly see below for further details. If setting this header, use the following:1; mode=block
X-Content-Type-Options.
Browsers will refuse to load the styles and scripts in case they have an incorrect MIME-type.
Set as:nosniff
Content-Security-Policy
The Content-Security-Policy is an article on its own (see here). But this security header will vital for XSS protection and modern ClickJacking. It’s important not to permit inline JavaScript by using unsafe-inline
as this will not prevent JavaScript from executing. Using a strong frame-ancestors
rule will prevent ClickJacking.
Permissions-Policy
The permissions policy security header managers the expected features that the browser should be able to access including GPS location, microphone, etc. An example of the directives that could be used is:geolocation=(self), microphone=()
Referrer-Policy
The referrer policy stops the user from leaking referrer data to other websites that the website or app would link to. This prevents leaking of data or the source page and this should be set to:no-referrer
How can Security Headers be implemented in Apache?
Open Apache Configuration
Connect to your server and open your Apache configuration file. This is typically located at /etc/apache2/apache2.conf
or /etc/httpd/conf/httpd.conf
.sudo nano /etc/apache2/apache2.conf
Add Security Headers
Insert the following lines at the appropriate location in your Apache configuration file to add security headers:
- Open the Apache configuration file (Linux server):
sudo nano /etc/httpd/conf/httpd.conf
- On a Windows server, you can use a text editor such as Notepad to open the file located at “C:\Program Files\Apache Software Foundation\Apache2.2\conf\httpd.conf”.
- Add headers to the config file:
- For more information regarding Content-Security-Policy see our CSP recommendations post.
Save and Restart Apache
Save your changes and restart Apache to apply the new configuration:sudo systemctl restart apache2
Verify Configuration
Ensure that the security headers are applied correctly by visiting your website and checking the response headers using browser developer tools or online security header checking tools.
How can Security Headers be implemented in nginx?
Open Nginx Configuration
Connect to your server and open your Nginx configuration file. This is typically located at /etc/nginx/nginx.conf
or /etc/nginx/sited-enabled/yoursite.com
(Debian and Ubuntu), or /etc/nginx/conf.d/nginx.conf
(RHEL and CentOS).sudo nano /etc/nginx/nginx.conf
Or:sudo nano /etc/nginx/sited-enabled/yoursite.com
Or:/etc/nginx/conf.d/nginx.conf
Add Security Headers
Insert the following lines at the appropriate location in your Nginx configuration file to add security headers:
- Add headers to the config file:
- For more information regarding Content-Security-Policy see our Content-Security-Policy Recommendations post.
Save and Restart Nginx
Save your changes and restart Nginx to apply the new configuration:sudo systemctl restart nginx
Verify Configuration
Ensure that the security headers are applied correctly by visiting your website and checking the response headers using browser developer tools or online security header checking tools.
How do I check security headers?
You can use Chrome’s dev tools, on the network tab, the request should show the full response headers. To confirm your security headers are correct, use North IT’s security header checking tool, it’s allows you to set Auth Cookies and JWT tokens to check authenticated content.