Security Headers

When returning a http request the web server will pass extra information about the site/server back to the browser in the form of headers. Some of these will can add protection for your visitors while others could leak information you may wish to keep private.

The bad security headers

Some of these headers are considered bad from a security standpoint as they can leak information such as the type of web server and software versions. If your web host or sysadmin isn’t keeping the software patched you could find yourself in a position where you are running a server/software with known vulnerabilities then advertising the fact to anyone looking in the right place.

Example’s of headers you may want to remove/hide:
X-Powered-By: PHP/5.1.2-1
Server: Apache/2.4.9 (Unix)

Removing this information depends on the server/software but are easy enough to find using Google or taking a look for an OWASP guide on the server you are using.

For PHP edit the php.ini file and set “expose_php” to off.

For Apache make sure the following values are set:
ServerSignature Off
ServerTokens Prod

The good security headers

Header Name Description
Content-Security-Policy This can be a helpful header to better protect your site from XSS attacks. You effectively whitelist sources of approved content preventing the browser from loading malicious assets.
Content-Security-Policy-Report-Only A helpful header so you can test the “Content-Security-Policy” before making it live. The browser will report actions that would have been taken in the console without blocking any content on the live site.
Strict-Transport-Security Also known as HSTS, this tells the browser to enforce a https connection.
X-Frame-Options This informs the browser if your site should work when it’s loaded in a frame or not. By disallowing framing of your site you can defend against clickjacking type attacks.
X-Xss-Protection Most browsers support this header that lets you set cross-site scripting filters.
X-Content-Type-Options Prevents the browser from attempting to MIME-sniff the content type and forces it to s tick with the declared content-type. The only value you can set for this header is “X-Content-Type-Options: nosniff”.
Public-Key-Pins This protects your site from man in the middle attacks by whitelisting only the identities that the browser should trust. Make sure you know what you’re doing when setting this header up or you could end up blocking users to your site without being able to unblock until the header expires.

How to test your security headers

There are some really good online tools to help you test and review your security headers, the best has to be SecurityHeaers.io run by the security blogger Scott Helme. There is also a great deal more information than listed here on each of the headers and how to correctly configure them.