X-XSS-Protection
X-XSS-Protection: 0; // no protection X-XSS-Protection: 1; // filters xss but renders the page X-XSS-Protection: 1; mode=block // blocks the page
Protection against reflected xss.
Content Security Policy
Content-Security-Policy: <policy>
Protection against xss. Controls what resources are allowed to load.
HTTP Strict Transport Security (HSTS)
Strict-Transport-Security: max-age=<expire-time> Strict-Transport-Security: max-age=<expire-time>; includeSubDomains Strict-Transport-Security: max-age=<expire-time>; preload // Use a preload list
Connections to the site will use HTTPS, except the first one, if preload is not used.
HTTP Public Key Pinning (HPKP)
Public-Key-Pins: pin-sha256=<base64>; max-age=<expireTime>; Public-Key-Pins: pin-sha256=<base64>; max-age=<expireTime>; includeSubDomains Public-Key-Pins: pin-sha256=<base64>; max-age=<expireTime>; report-uri=<reportURI>
Dynamic pinning. Check if the certificate matches the pins stored.
X-Frame-Options
X-Frame-Options: DENY // No one can put the page in an iframe X-Frame-Options: SAMEORIGIN // Only from the same site X-Frame-Options: ALLOW-FROM https://example.com/
Avoids clickjacking attack.
X-Content-Type-Options
X-Content-Type-Options: nosniff;
Solves the "MIME sniffing" problem.
Referer-Policy
Referrer-Policy: <policy>
Allows you to specify when the browser will set a referer header
Cookies Options
Set-Cookie: <key>=<value>; Expires=<expiryDate>; Secure; HttpOnly; SameSite=strict// Secure: only sent over HTTPS
// HttpOnly: can not be accessed from javascript
// SameSite: lax or strict. Defends against Cross-Origin Request Forgery (CSRF)
References
https://blog.appcanary.com/2017/http-security-headers.html
https://securityheaders.io
No comments:
Post a Comment