Security Headers are crucial for protecting web applications and preventing vulnerabilities such as cross-site scripting (XSS), clickjacking, and data injection. These headers help define security policies for web pages, ensuring proper access controls and privacy. You can test and view security headers for any website directly through tools like nmap, curl, or Zap – available below.
View Security Headers
To view the security headers of a webpage, you can use several methods:
Browser Developer Tools:
In most modern browsers, you can view HTTP headers using the Developer Tools (DevTools).
- Open your browser’s DevTools (usually with F12 or Ctrl + Shift + I).
- Go to the Network tab.
- Reload the page and click on the request for the webpage (usually labeled with the domain name).
- Look under the Headers section to view both request and response headers, including any security headers like
Content-Security-Policy,Strict-Transport-Security, and others.
Command-Line Tools:
You can use these command-line tools to fetch the headers directly from the website.
- Curl: Fetch headers using
curlwith the-Ioption:> curl -I http://example.com
This will display the headers sent by the server, including security-related headers. - Nmap: Run Nmap with the
--script http-headersoption to scan for HTTP headers, including security headers. Use the-voption for more verbose output:> nmap -p 80 --script http-headers http://example.com - Zap: A popular security testing tool, Zap can be configured to check for security headers as part of a broader web application scan.
Online Tools:
Websites like securityheaders.com allow you to quickly check the security headers for a given URL. Just enter the domain name and it will show you which headers are set and any recommendations for improvement.
Modify Security Headers
Security headers are typically set at the web server level, and you can modify them in various configuration files depending on your server software:
Apache Web Server:
To modify security headers in Apache, you can edit the .htaccess file or the main Apache configuration file (httpd.conf or apache2.conf).
Example to add a Content-Security-Policy header:
Header set Content-Security-Policy "default-src 'self'; script-src 'self' https://apis.example.com"
NGINX Web Server:
For NGINX, security headers are typically set in the site’s configuration file (e.g., /etc/nginx/sites-available/your-site).
Example to add HSTS:
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
Cloudflare or Other CDNs:
If you’re using a CDN like Cloudflare, you can modify security headers through the CDN’s settings in the dashboard. Cloudflare, for instance, offers a feature called Page Rules to add custom headers.
Web Application Firewalls (WAF):
Many WAF solutions (like ModSecurity, AWS WAF, or Cloudflare WAF) allow you to set security headers through their rules engine. This is useful when you want to enforce security headers without modifying the server’s configuration.
Backend Frameworks or Code:
If you’re using a backend framework, such as Express.js (Node.js) or Django (Python), you can configure security headers directly within the framework’s settings or middleware.
Example for Express.js:
app.use((req, res, next) => {
res.setHeader('Strict-Transport-Security', 'max-age=31536000; includeSubDomains; preload');
next();
});
Once you modify your server configuration to include the desired security headers, remember to restart your web server to apply the changes.
Security Header Overview and Configuration Examples
Content-Security-Policy (CSP)
A powerful security header that helps prevent cross-site scripting (XSS) and other content injection attacks by specifying allowed sources for scripts, styles, images, and other resources.
Options:
default-src: Defines the default source for all content.script-src: Restricts the sources from which scripts can be loaded.style-src: Restricts the sources from which stylesheets can be loaded.img-src: Specifies which image sources are allowed.connect-src: Defines the sources that are allowed for fetching resources like XMLHttpRequest.
Installation Example:
Content-Security-Policy: default-src 'self'; script-src 'self' https://apis.example.com; style-src 'self' https://fonts.example.com;
Strict-Transport-Security (HSTS)
Instructs browsers to only communicate with the website over HTTPS, improving security by preventing man-in-the-middle (MITM) attacks.
Options:
max-age: Specifies the time in seconds that browsers should remember to use HTTPS.includeSubDomains: Apply the rule to all subdomains.preload: Submitting your domain to a list of preloaded sites that enforce HTTPS.
Installation Example:
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Content-Type-Options
Prevents browsers from interpreting files as a different MIME type to mitigate attacks like MIME sniffing.
Options:
nosniff: Instructs browsers to strictly follow the MIME type defined in the Content-Type header.
Installation Example:
X-Content-Type-Options: nosniff
X-Frame-Options
Helps prevent clickjacking attacks by controlling whether your website can be embedded in an iframe.
Options:
DENY: Prevents any domain from embedding the content.SAMEORIGIN: Allows the content to be embedded only by the same origin.ALLOW-FROM uri: Allows content to be embedded only from a specific URI.
Installation Example:
X-Frame-Options: DENY
X-XSS-Protection
Enables the browser’s built-in protection against reflected XSS attacks by blocking pages if an attack is detected.
Options:
1: Enables the XSS filter.0: Disables the XSS filter.1; mode=block: Enables the filter and blocks the page if an attack is detected.
Installation Example:
X-XSS-Protection: 1; mode=block
Referrer-Policy
Controls how much referrer information is sent with requests. This header can limit or prevent the transmission of sensitive data in the referrer URL.
Options:
no-referrer: No referrer information will be sent.no-referrer-when-downgrade: Referrer information is sent only for HTTPS to HTTPS requests.origin: Only the origin of the referring URL will be sent.
Installation Example:
Referrer-Policy: no-referrer-when-downgrade
Feature-Policy (Permissions-Policy)
Allows websites to control which features and APIs can be used in the browser.
Options:
geolocation: Controls access to the Geolocation API.camera: Controls access to the camera.microphone: Controls access to the microphone.
Installation Example:
Permissions-Policy: geolocation=()
Cache-Control
Defines caching policies for your site to improve performance while ensuring sensitive data is not cached for too long.
Options:
no-store: Prevents the browser from storing any data about the request.no-cache: Forces revalidation of cached data.private: Allows caching only for the user’s private browsing session.max-age: Sets a maximum age for cached content.
Installation Example:
Cache-Control: no-store
Additional Headers
Other headers that enhance security include:
- Content-Security-Policy-Report-Only: Allows testing a CSP without enforcing it.
- Cross-Origin-Opener-Policy: Isolates browsing contexts for cross-origin requests.
- Cross-Origin-Embedder-Policy: Prevents the browser from embedding content from untrusted origins.
- Public-Key-Pins: Allows sites to specify which public keys should be trusted to prevent MITM attacks.
Conclusion
Implementing proper security headers is an essential step toward securing your web application. These headers protect against a wide range of attacks, such as XSS, clickjacking, and MITM. By configuring these headers correctly, you help safeguard your users and their data from malicious actors. Use the tools and configurations outlined above to test and enforce these headers and ensure your web application is secure.