Browser security headers are HTTP response headers that define whether a set of security measures should be activated or deactivated on the web browser. They govern the way the browser behaves when communicating with the site. So, these security headers can be used to outline communication and improve web security.
Here are five security headers that need to be understood for securing a website:
- HTTP Strict Transport Security (HSTS): A common practice of securing a website is to use a SSL/TLS certificate and migrate the website from HTTP to HTTPS. However, most website administrators forget that their website may still be available over HTTP connection. This issue can be overcome by employing HSTS. If HSTS is used for a website equipped with HTTPS, the server forces the browser to communicate over secure HTTPS only; thus, eliminating the possibility of the HTTP connection.
- Content Security Policy (CSP): CSP can be used to protect the website against Cross Site Scripting and other code injection attacks. It does not rule out the chances of these attacks entirely but helps in minimizing the damage. It equips the website admin with the authority to restrict the resources that a user is allowed to load when using the site. Thus, the admin can white list the website’s content resources as per the security requirements.
- Cross Site Scripting Protection (X-XSS): This header can be used to protect against Cross Site Scripting attacks. It prevents the page from loading if any cross site scripting is detected. XSS filter is enabled in browsers such as Chrome, IE, and Safari by default.
- X-Frame-Options: This type of browser security header can be used for protection against ‘Clickjacking’ attacks. In case of such attacks, the user is made to click on a page under the pretension that he is on an official site. However, a hidden code is being run in the background. This may lead to loss of confidential user information. X-Frame-Options disable the iFrames present on the site preventing others from embedding any code in your content.
- X-Content-Type-Options: MIME Sniffing is a common feature that is used to discover an asset’s file format. However, it can also be used to execute cross site scripting attacks. X-Content-Type-Options acts as a precaution against MIME Sniffing as it instructs the browser to follow the MIME type instructed in the header.
For more information on browser security headers and how to secure your portal, contact Centex Technologies at (254) 213 – 4740.