HTTP security headers
HTTP security headers are used to inform a client (browser) how to behave when handling a website's content. These headers are important in preventing exploitation of vulnerabilities such as XSS, Man-in-the-Middle, clickjacking, etc.
Lets a web site tell browsers that it should only be accessed using HTTPS, instead of using HTTP. Prevents Man-in-the-Middle attacks.
max-agedirective defines the time, in seconds, that the browser should remember that a site is only to be accessed using HTTPS.
- The optional
includeSubDomainsdirective defines if the rule applies to all of the site's subdomains as well
- The optional
preloaddirective ensures that a website will be accessed using HTTPS even during the first visit of the website. Indeed, websites require a user-agent to first visit them to understand that it must use STS. To correct this behavior, browsers have a list of websites that has to be accessed using HTTPS from the initial request.For more information: https://hstspreload.org/.
Header now obsolete (use the
frame-ancestorsdirective set to
noneinstead). This header indicated whether or not a browser should be allowed to render a page in a
<object>. Prevents clickjacking attacks.
DENY: the page cannot be displayed in a frame
SAMEORIGIN: can only be displayed in a frame on the same origin as the page itself (which depends on how browsers vendors interpret this)
ALLOW-FROM uri: obsolete directive. No longer works in modern browsers.
XCTO is used by the server to indicate that the MIME types advertised in the
Content-Typeheaders should be followed and not be changed. It prevents MIME type sniffing attacks.
nosniffdirective makes the browser block a request if the request destination is of type
styleand the MIME type is not
text/css, or of type
Allows a server to indicate any origins (domain, scheme, or port) other than its own from which a browser should permit loading resources from.
default-srcdirective acts as a fallback for the other CSP fetch directives. If not present, CSP will permit loading resources of any origins