Secure HTTP Header Settings

Secure HTTP Header Settings

Risk: secure

Description

Secure Header Setting:

• Content Security Policy: Mitigates risks of cross-site scripting (XSS) by specifying trusted sources for content.
• Cookie: Enhances security by setting attributes like HttpOnly and Secure to protect cookie data from unauthorized access.
• Cross-Origin Resource Sharing: Controls how resources can be shared across different domains to prevent malicious access.
• HTTP Public Key Pinning: Protects against man-in-the-middle attacks by specifying which public keys are valid for a particular site.
• Redirection: Ensures that redirects are safe and only lead to trusted destinations to prevent open redirect vulnerabilities.
• Referrer Policy: Defines how much referrer information is passed when navigating from one site to another, enhancing privacy.
• Subresource Integrity: Verifies that resources loaded from third-party domains have not been tampered with by checking their cryptographic hash.
• X-Content-Type-Options: Prevents browsers from MIME-sniffing the content type, reducing the risk of content-type-based attacks.
• X-Frame-Options: Prevents clickjacking attacks by controlling whether a page can be embedded in a frame.
• X-XSS-Protection: Activates the browser's built-in XSS filtering to block detected cross-site scripting attacks.
• Permissions-Policy: Controls which features and APIs can be used in the browser, enhancing security by limiting capabilities for untrusted content.
• Clear-Site-Data: Allows sites to request the browser to clear stored data (cookies, local storage, caches) for a specified origin, helping to mitigate the impact of data leaks or privacy concerns.

Recommendation

The implementation is secure, and no recommendations apply.

Links

• OWASP HTTP Header Security
• Content Security Policy (MDN)
• X-Frame-Options (MDN)