Security Best Practices

Fixing Missing HTTP Security Headers

HTTP Security Headers

Most modern browsers ships with a built in XSS filter. However this setting could be turned off by default. Including the X-XSS-Protection header forces this filter to be enabled, thus providing additional protection against Cross Site Scripting attacks.

Missing Strict Transport Security header means that the application fails to prevent users from connecting to it over unencrypted connections. An attacker able to modify a legitimate user’s network traffic could bypass the application’s use of SSL/TLS encryption, and use the application as a platform for attacks against its users. This attack is performed by rewriting HTTPS links as HTTP, so that if a targeted user follows a link to the site from an HTTP page, their browser never attempts to use an encrypted connection. The sslstrip tool automates this process.

Missing Content-Type header means that this website could be at risk of a MIME-sniffing attacks.

Steps to Fix

X-XSS-Protection

  • For Apache, it is recommended to use the protection provided by XSS filters without the associated risks by using the following code to .htaccess file:
    # X-XSS-Protection
    <IfModule mod_headers.c>
    Header set X-XSS-Protection "1; mode=block"
    </IfModule>
    • For Nginx, add the following code to the nginx configuration: add_header X-XSS-Protection "1; mode=block";

Strick Transport Security

  • The application should instruct web browsers to only access the application using HTTPS.
  • To do this, enable HTTP Strict Transport Security (HSTS) by adding a response header with the name Strict-Transport-Security and the value max-age=expireTime
  • The expireTime is the time in seconds that browsers should remember that the site should only be accessed using HTTPS.

X-Content-Type-Option

  • When serving resources, make sure you send the content-type header to appropriately match the type of the resource being served. For example, if you are serving an HTML page, you should send the HTTP header: Content-Type: text/html
  • For Apache, add the X-Content-Type-Options header with a value of “nosniff” to inform the browser to trust what the site has sent is the appropriate content-type, and to not attempt “sniffing” the real content-type. Add the following code to the .htaccess file:
    # X-Content-Type nosniff
    <IfModule mod_headers.c>
    Header set X-Content-Type-Options nosniff
    </IfModule>
  • For Nginx, add the following code to the nginx configuration: add_header X-Content-Type-Options nosniff;

Was this helpful?