What Are Security Headers? And Are They Important?

What Are Security Headers? And Are They Important?
Security headers exist to help improve the security of web applications. For example, when a browser requests a page from a web server, the server responds with the page content along with the security response headers. The headers contain various data types including metadata about the page such as when the page was last modified, details about the web server, cookies, and instructions to the browser on how to handle caching content and protocols, among other things.
What Are Security Headers? And Are They Important?

Let's take the HTTP Strict-Transport-Security (HSTS) header example. This security response header works by having the website tell browsers that the website—and all its subdomains—should only be accessed using HTTPS, and not by using HTTP.

If a user accidentally types in a web address with HTTP, as in http://example.com,  HSTS will automatically redirect HTTP requests to HTTPS for the target domain. This header helps protect against man-in-the-middle attacks, whereby a malicious actor attempts to intercept communications with a user, by enforcing secure connections.

The following security header syntax tells the server that all present and future subdomains will be HTTPS for a max-age:

Strict-Transport-Security: max-age=<expire-time>; includeSubDomains

Properly implemented security headers help prevent vulnerabilities like clickjacking, information disclosure, cross-site scripting, code injection, among others.

Here are some other commonly used security headers with descriptions of what they do:

  1. Content-Security-Policy (CSP): Helps detect and prevent certain attacks such as cross-site scripting (XSS) and data injection attacks. CSP allows server administrators to specify the sources of content allowed to load on a web page and the domains the browser should consider valid, as well as restrict content from invalid domains. Site administrators can choose to employ global disallow to block any and all scripts from loading.
  2. X-Content-Type-Options: Indicates to a server that the MIME types indicated in the Content-Type header should be strictly adhered to, thereby helping prevent MIME type sniffing and other attacks that exploit incorrect content type handling.
  3. X-Frame-Options: Indicates whether or not a browser should render a web page as <frame>, <iframe>, <embed> or <object>. This header is used to prevent clickjacking attacks by disallowing the page from being embedded in other sites.
  4. Access-Control-Allow-Origin: Indicates whether the response can be shared with requesting code from the given origin. If Site A requests content from Site B, Site B will send an Access-Control-Allow-Origin response header to tell the browser that the content of this page is accessible to certain origins.
  5. Referrer-Policy: Controls how much referrer information is sent with requests. It can help protect user privacy and reduce data leakage to third parties.
  6. Permissions-Policy: Controls which features and APIs can be used by a web page, such as geolocation and access to cameras and microphones. This header helps protect against unauthorized scripts that could compromise user data.

Implementing these headers correctly can enhance the security posture of web applications and websites by preventing attacks and access of unauthorized data.

arrow_back
Back to blog