What are the different types of HTTP Security headers ?
How to protect the websites from http security headers vulnerabilities. ?
Is that term new for you? I think the answer would be partially Yes or No.
Let's check what does it means and how it works with your website.
What are HTTP security headers?
The HTTP security headers are specifically about the security of the web application while doing the communication between the client and server.
An HTTP header is a response by a web server to a browser that is trying to access a web page.
HTTP Headers are a great booster for web security with easy implementation. Proper HTTP response headers can help prevent security vulnerabilities like Cross-Site Scripting, Clickjacking, Information disclosure and more.
By hashing the default values of the headers will help to boost the security. because the default value will be accurate, then that is enough for hackers to leak the information about the website.
What are the types of HTTP headers
-
Content-Security-Policy - Content Security Policy is an effective measure to protect your site from XSS attacks. By whitelisting sources of approved content, you can prevent the browser from loading malicious assets.
Syntax: -
Content-Security-Policy
Content-Security-Policy: script-src 'self'
-
Access-control-allow-origin - This is a very lax CORS policy. Such a policy should only be used on a public CDN.
Syntax: -
Access-control-allow-origin
Access-Control-Allow-Origin: *
Access-Control-Allow-Origin: <Domain name>
Access-Control-Allow-Origin: null
-
Permissions-policy - Permissions Policy is a new header that allows a site to control which features and APIs can be used in the browser.
Syntax: -
Permissions-policy
camera=(), microphone=(), geolocation=(), browsing-topics=()
-
Referrer-policy - Referrer Policy is a new header that allows a site to control how much information the browser includes with navigations away from a document and should be set by all sites.
Syntax: -
Referrer-policy
origin-when-cross-origin
-
Server - Server value has been changed. Typically, you will see values like "Microsoft-IIS/8.0" or "nginx 1.7.2".
Syntax: -
Server
Can be any custom value, by default it will be actual server name, but to mitigate the vulnerability we should use custom values
E.g.: - My server
-
Strict-transport-security - HTTP Strict Transport Security is an excellent feature to support on your site and strengthens your implementation of TLS by getting the User Agent to enforce the use of HTTPS.
Syntax: -
Strict-transport-security
max-age=63072000; includeSubDomains; preload
-
X-content-type-options - X-Content-Type-Options stops a browser from trying to MIME-sniff the content type and forces it to stick with the declared content-type. The only valid value for this header is "X-Content-Type-Options: nosniff".
Syntax: -
X-content-type-options
nosniff
-
X-frame-options - X-Frame-Options tells the browser whether you want to allow your site to be framed or not. By preventing a browser from framing your site you can defend against attacks like clickjacking.
Syntax: -
X-frame-options
SAMEORIGIN
-
X-xss-protection - X-XSS-Protection sets the configuration for the XSS Auditor built into older browsers. The recommended value was "X-XSS-Protection: 1; mode=block" but you should now look at Content Security Policy instead.
Syntax: -
X-xss-protection
1; mode=block
Where will be the fix to mitigate the issues?
The fix can be made on the server side. The fixes will vary depending on the technology you use to develop the application.
E.g:- .htaccess, IIS level, web.config, DNS and some of them can be fixed in page directives.
How to test the website HTTP headers?
There are lot of services available in online, in that one of useful tool is Securityheaders.com
More Stories
Despite being acquainted with git, many developers struggle to resolve these conflicts due to a lack of understanding of how to pull the conflict details into their local machines.
Firebase Authentication is one of its gems, allowing you to add user authentication effortlessly. It's secure, reliable, and comes with Google's seal of approval.
![[Solved] Firebase auth/invalid-api-key error when setting the values in the environment variable on NextJS?](/_next/image?url=%2Fassets%2Fblog%2Fcovers%2Fenv-variable-thump.jpg&w=3840&q=50)
Why am I getting an auth/invalid-api-key error when setting the Firebase values in the environment variable on NextJS ?
Enzyme Internal Error: Enzyme expects an adapter to be configured, but found none.
![[Solved] How to download SVG as PNG file](/_next/image?url=%2Fassets%2Fblog%2Fcovers%2Fsvg-to-png-thumb.jpg&w=3840&q=50)
Easist way of downloading the SVG file as PNG file is done using javascript snippet
To keep the code is safe and distrubuted between multiple resources that been achieved with the help of GIT
The importance of the http response headers are highly needed to protect the websites from hackers. If you poorly managed the response header then one day the website will be compromise to the hacker.
![[Solved] How to create Application insight access token](/_next/image?url=%2Fassets%2Fblog%2Fcovers%2Faccess-key-thump.jpg&w=3840&q=50)
Application Insights is an feature of Azure Monitor and it provides application performance monitoring features. APM tools are very useful to analyse applications from development, testing and production release.
A lazy function lets you defer the loading of a components code until it is rendered for the first time. Before, it will remain in the bundle. So that we can reduce the load of the application.
We covered most asked questions for Javascript interview and their answers
we are displaying these emojis with the help of ASCII code and it is not that easy to remember because its a mix of numeric and special characters.
ES6 or the ECMAScript 2015 is the major edition of ECMAScript language, it introduced several new features which are very special to the developers
what are the new features among the various versions of ECMA script and what is difference
![[Solved] How to squash the number of commits from a branch in Git](/_next/image?url=%2Fassets%2Fblog%2Fcovers%2Fdelete-commits-git-thump.jpg&w=3840&q=50)
We can squash the number of commits from a git branch
![[Solved] Your focus-trap must have at least one container with at least one tabbable node in it at all times](/_next/image?url=%2Fassets%2Fblog%2Fcovers%2Ffocus-trap-thumb.jpg&w=3840&q=50)
Your focus-trap must have at least one container with at least one tabbable node in it at all times, when using dialog or modal in ReactJS or other front-end framework
Writing test cases for modal popup in jest
![[Solved] Uncaught TypeError: Cannot read property 'location' of undefined](/_next/image?url=%2Fassets%2Fblog%2Fcovers%2FuseLocation_testcases-thump.jpg&w=3840&q=50)
Cannot read property location of undefined, this is an common test cases error in react jest while using useLocation hook in your react component
![[Solved] Missing ID attributes in markdown to html](/_next/image?url=%2Fassets%2Fblog%2Fcovers%2Fmark-id-missing-thumb.jpg&w=3840&q=50)
There is a common problem when parsing the markdown file the ID attribute is missing in the element, here we found a solution to fix/overcome
It is basicall demonstrating how to find the fibanocci, amstrong, prime numbers and pyramid pattern using javascript.
Markdown is a lightweight markup language that you can use to add formatting elements to plaintext text documents.
There are few development tips for Javascript array operation, these tips will reduce your development time.
For every website the Sitemap will be playing important role for SEO performance. In Ecommerce and other consumer websites also SEO have important role for developing their revenue.
This question is very usual, to get solve this issue by using the browser property user agent to check whether the device type.
What are the possible ways to create objects in JavaScript, The traditional way to create an empty object is using the Object constructor. But currently this approach is not recommended.