HTTP Security header is one of the most basic yet powerful parts of web security. With the help of these security measures, you will be able to ramp up your web application security to the next level. It defends your website from all the attacks that your website probably has to encounter.
These HTTP security headers are so powerful that when you enable them, they protect your website from some common attacks such as clickjacking, code injection, cross-site scripting, and many more.
So, in this post, we will explain to you all about the HTTP security headers list, how they can be beneficial, and how you can implement them.
Stay tuned and let’s get started!
What is an HTTP Security Header?
Basically, an HTTP security header is a set of commands or directives that are being exchanged between your web browser (or any web client) and a webserver to specify the security-related details of HTTP communication. These exchanges or sharing of information are part of the HTTP protocol. These commands or directives let your browser know what is allowed to show or whatnot, for your website, to ensure its security and no malware injection.
These HTTP security header commands help to protect both your web browser and your website from any security threats such as hacker attacks or malicious code injection. So, this security strategy acts as an overall defense system.
Why Do You Need to Implement HTPP Security Header?
As you have already noticed, there have been multiple articles and reports circulating on the internet about the peak rise in cyber-attacks and data-breaching cases in recent years. One of the main culprits of all these mishaps happening is poor security measures and misconfigurations.
These HTTP security headers help to stop some of the most common hacker attacks, malware injections, clickjacking, malicious script injection, etc. They provide an extra layer of protection by restricting some activities between the server and the web browser, while the web application is running.
Although there have been many HTTP headers available, the point is which one you should implement to get better protection. Just like any web technology that changes over time, new HTTP headers will appear and go depending upon the browser’s support.
So, it becomes essential for you to decide which HTTP header you should implement and which not, but for now, you must implement these 8 HTTP security header lists so that you can get protection from some of the most common threats.
Apart from that, you can also enhance or strengthen your website security by choosing Top-notch VPS hosting for WordPress sites.
In addition to it, the HTTP Security header can also help to improve your website’s SEO score.
Run Security Headers Check
Before you proceed further, the first thing you must do is run a security header check on your website. With the help of this, it will be easy for you to see what are essential security headers missing on your website.
To do so, you need to visit the security headers website, and enter your website address as shown in the picture below:
When you enter your website URL and hit the Scan button, a comprehensive report will be generated, showing all vital missing HTTP security headers if any in red color, and a Grade that shows, how safe your website is.
From the above image, you can see HTTP security headers not detected. which we have explained and listed below section.
Most Important HTTP Security Header List
Let us check out some of the most important HTTP security headers you must implement on your web applications to enhance security and enable an extra layer of protection.
1. X-Frame Options
For the first time, Microsoft has introduced the X-Frame Options in their Microsoft Internet Explorer, which helps to protect against malicious script injection or cross-site scripting attacks. This HTTP security header protects your website iFrames by instructing browsers to ask whether to process iFrame to the website or not.
It mainly protects from all clickjacking attacks in which an attacker implements multiple layers on a link or button to redirect users to another page and steal their vital information.
Syntax to follow:
X-Frame-Options: DENY
X-Frame-Options: SAMEORIGIN
X-Frame-Options: ALLOW-FROM URL
Instructions Explanation:
DENY: This directive will not allow iFrame to render
SAMEORIGIN: This directive will allow rendering iFrames only with the same origin.
ALLOW- FROM: This directive will allow rendering iFrame only from a particular URL.
2. Strict-Transport-Security
Strict-Transport-Security or HTTPS Strict Transport Security header helps to protect from MIM attacks and cookie hijacking when enabled. This directive forces the browser to use HTTPS rather than HTTP communication.
Let us understand how it works if you are running any website on HTTP and migrated to it on HTTPS. Your old visitors will still try to access the old URL with HTTP. Since you have already migrated your website to HTTPS, the old URL will redirect it to the new one.
But the point is, that your visitors can still able to access the non-encrypted version of your website before redirecting to the new encrypted URL. In between the process, the hackers get an opportunity to do MIM or man-in-the-middle attacks.
But when you enable Strict-Transport-Security, the browser will get instructions to not load HTTP websites but rather enforce the browser to communicate over HTTPS.
Syntax to follow:
Strict-Transport-Security: max-age=<expire-time>
Strict-Transport-Security: max-age=<expire-time>; includeSubDomains
Strict-Transport-Security: max-age=<expire-time>; preload
Instructions Explanation
max-age=<expire-time>: This directive allows you to decide for how long (in seconds) the browser can access it over HTTPS.
max-age=<expire-time>; includeSubDomains: If this directive is mentioned, it means the above rule is also for all the subdomains of the website.
max-age=<expire-time>; preload: This directive shows the website has been listed in the global HTTPS sites list.
3. Content Security Policy
This HTTP security Header instructs the browser to load only those contents that are mentioned in the policy. It means you will have the power to control the resources of your website and allow browsers to load only content resources that you have whitelisted.
It helps browsers to decide where to load content resources such as scripts, images, or CSS. If you can implement this HTTP security header successfully it will protect your website from Clickjacking, Cross-Site Scripting (XSS), and any malicious code injection.
Although it doesn’t 100% guarantee protection, it helps to prevent and limit possible damages. Even, the majority of browsers are now identifying this serious issue and started supporting it.
Syntax to follow:
Content-Security-Policy: <policy-directive>; <policy-directive>
Instruction Explanation
<policy-directive>: You can include any policy directive such as script-src(CSS) , img-src (Images), or style-src(stylesheet) and allow them to load.
4. X-content-Type-Options
This type of header lets you restrict or prevent MIME type sniffing by telling the browser that MIME types are deliberately configured on the server. Basically, MIME sniffing, provides an opportunity for the attackers to inject any executable malicious script.
For example, an attacker has injected any malicious resource that has changed the response of an innocent other resource say images. Due to MIME sniffing, the browser will stop rendering the image content type rather than start executing the malicious resources that have been injected.
When you enable this header, it will entrust and force the browser to follow only the MIME types that have been specified in Content-type headers. This way you can easily protect and prevent malicious script injection or cross-site scripting attacks.
Syntax to follow:
X-Content-Type-Options: nosniff
Instruction Explanation:
The nosniff directive will immediately block a request if the destination of the request of type:
- style
- MIME-type is not text/CSS or type Script
- MIME-type is not JavaScript MIME-type
5. Referrer Policy
This header security will allow you to control whether the referrer information should be revealed. If yes then by how much?
However, for other requests, the browser will share only information about the origin.
Syntax to follow:
Referrer-Policy: origin-when-cross-origin
Referrer-Policy: no-referrer-when-downgrade
Instruction explanation:
origin-when-cross-origin: The browser will share complete referral information for same-origin requests and other requests, the browser will share only about the origin.
no-referrer-when-downgrade: The browser will not share referral information when sending the Referrer
the header for requests to less secure destinations.
6. Feature or Permissions-Policy
This security header lets a website decide whether or not to provide access to any particular feature or API on the browser. With the help of this header, you can easily control the functionality of any application on your browser, that can malign your privacy and allow it only if you find it legit and necessary.
For example, if you do not want the website to access your microphone, webcam, or location and want to restrict their functionality by following the given syntax below:
Feature-Policy: microphone 'none'; camera 'none'
Feature-Policy: geolocation 'self'; vibrate 'none'
Permissions-Policy: geolocation=(self), vibrate=()
syntax to follow:
Feature-Policy: <directive> <allowlist>
Instruction Explanation:
The <directive> can be anything, such as an Accelerometer, autoplay, ambient-light sensor, battery, camera, microphone, or geolocation.
whereas the <allowlist> is a list of origins, that can take one or more values such as ‘none’, ‘self’ etc. put separately. For your reference, you can check out the complete list of directives and allow list from here.
7. X-Permitted Cross Domain
With the help of this HTTP security Header, you can give instructions to the browser and have control over all the requests that come from cross-domain. When you enable this header, you will be limiting your website to loading unnecessary website assets that come from other domains. So that website resources can be used efficiently.
This security header is optional and it is not necessary to have them, but it is good to install them and enable them.
Syntax to follow:
X-Permitted-Cross-Domain-Policies: "none"
8. XSS protection
XSS protection or cross-site scripting protection header is introduced to protect from cross-site scripting attacks. These attacks are considered to be very common and effective, hence the majority of web browsers enable XSS protection in them by default.
When an attacker tries to infect a website by injecting malicious javascript code during an HTTP request to steal confidential information such as transaction data, personal data, etc. When any cross-site scripting attacks, the XSS protection header will filter out and stop them immediately.
However, this filter was only available on old browsers, and it has become now unnecessary for modern browsers. Especially if you have already implemented a really good security policy and it’s good to just go ahead and have it in case your visitors are still using old browsers, that do not understand content security policy.
Syntax to follow:
X-XSS-Protection: 0
X-XSS-Protection: 1
X-XSS-Protection: 1; mode=block
X-XSS-Protection: 1; report=<reporting-uri>
Explanation:
0 – this will disable XSS protection
1 – Enable XSS protection
1; mode=block – Stop browsers from loading webpages entirely, when a cross-site scripting attack is detected.
1; report=<reporting-uri> – When an XSS attack is detected, the unsafe part will be blocked by the browser and report it
How to implement HTTP Security Headers Vulnerability fix on your website?
If your web hosting service provider allows you to have access to either of the two files .htaccess or wp-config.php file. Then it can be easy to implement an HTTP Security Header Vulnerability fix on your website by adding the HTTP security headers anywhere.
At WPOven you will provide SSH access, through which you can easily access the File Manager and edit your .htaccess file.
Step 1: First you need to enable SSH access to the site. To do this you need to access the site from the WPOven dashboard.
Navigate to the ‘Tools’ section.
Then from the ‘Tools’ section, you need to press the ‘Enable SSH access’ button at the bottom of the page.
Step 2: Once the SSH access is enabled for the site, you can then log in via 3rd party applications like Putty or PenguiNet using your site’s SFTP login credentials
However, you can also get access to your .htaccess or wp-config.php file, directly through an FTP client popularly known as File Zilla.
All you need to do is just follow the steps given below:
- First, you need to connect to your WordPress website using an FTP client. This will enable you to edit your .htaccess file. This file can be found in the root directory of your WordPress website.
- In case the .htaccess file is not visible, you might want to check the hidden files.
- There is no need to have any special editor, you can write the code in any text editor such as Notepad.
- You have to write this code and add it to the .htaccess file. It is advised to add it at the end of the .htaccess file.
- When you find the site, download it to your local drive and then open it in any text editor. The simplest option is a standard Notepad. Add the following code at the bottom of the file:
X-Frame-Options: DENY
X-Frame-Options: SAMEORIGIN
X-Frame-Options: ALLOW-FROM URL
Strict-Transport-Security: max-age=<expire-time>
Strict-Transport-Security: max-age=<expire-time>; includeSubDomains
Strict-Transport-Security: max-age=<expire-time>; preload
Content-Security-Policy: <policy-directive>; <policy-directive>
X-Content-Type-Options: nosniff
Referrer-Policy: origin-when-cross-origin
Referrer-Policy: no-referrer-when-downgrade
Feature-Policy: <directive> <allowlist>
X-Permitted-Cross-Domain-Policies: "none"
X-XSS-Protection: 0
X-XSS-Protection: 1
X-XSS-Protection: 1; mode=block
X-XSS-Protection: 1; report=<reporting-uri>
Change the attributes, directives, and values as required, and save and upload them.
Alternatively, you can also access your web server configuration files and apply these security headers. However, if you don’t like to make changes on your own and you are a WPOven client, you can open up a support ticket and we can quickly do it for you.
Summary
From the above post, you can see how important it is to have an HTTP security header enabled on your website. And to what extent do they provide website security hardening? However, these securities have been implemented by default in the latest and most advanced browsers available. But still, there is no reason I found that you should not use them.
In case you have no access to your website servers you find it difficult. It is always better to ask for help from professionals. It is better you reach out to your web hosting provider and ask them to implement HTTP security headers on your website.
Frequently Asked Questions
Are HTTP headers secure?
Yes, HTTP security headers are one of the most important cybersecurity hardening directives. The entire information in the HTTP headers is encrypted.
What are some headers that add security?
Some of the Headers that add security to the website are:
1. X-Frame Options
2. Strict-Transport-Security
3. Content Security Policy
4. X-content-Type-Options
5. Referrer Policy
6. Feature or Permissions-Policy
7. X-Permitted Cross Domain
8. XSS protection
What is CSP header?
CSP or Content Security Policy header instructs the browser to load only those contents that are mentioned in the policy. It means you will have the power to control the resources of your website and allow browsers to load only content resources that you have whitelisted.
Rahul Kumar is a web enthusiast, and content strategist specializing in WordPress & web hosting. With years of experience and a commitment to staying up-to-date with industry trends, he creates effective online strategies that drive traffic, boosts engagement, and increase conversions. Rahul’s attention to detail and ability to craft compelling content makes him a valuable asset to any brand looking to improve its online presence.