What is HTTP Security Header? How to use HTTP Security Header

What is X-Frame-Options ? Do you know what HTTP Security header is? What do they mean in web programming? Let's find out with TipsMake!

When you want to visit a website, the Internet browser you use receives some data from that page. As a result, a conversation takes place between your device and that web. This happens with the HTTP protocol. You can add extra security by tampering with this activity.

If you are running a website or want to become a website programmer, HTTP security headers are invaluable to you because they play an active role in security for both the user and the website.

What is HTTP Strict-Transport-Security (HSTS)?

HTTP Strict-Transport-Security (HSTS) forces users to use HTTPS for every query they make in the browser. This is a sure way to protect against cyber attacks, while ensuring the security of all access.

Enabling HSTS is quite easy. Consider the dialogue between server and server. When trying to access a page through a browser, you are the client. The page you want to open depends on the server. Your goal is to let the server know that you want to open this page. This is a query operation. On the other hand, the server directs you to that page if you meet the necessary conditions.

Remember that this is related to the sample HTTP Header flag:

Strict-Transport-Security: max-age=16070200;

By adding this flag to the HTTP response header information, all user-generated queries will become HTTPS. Whatever content the user writes here, the browser will automatically evaluate the protocol as HTTPS and establish a secure connection.

How to use HSTS

Instead of adding all the HTTP header information in layer code, you can do this on Apache, IIS, Nginx, Tomcat and other web server applications.

To enable HSTS in Apache:

LoadModule headers_module modules/mod_headers.so     Header always set Strict-Transport-Security "max-age=2592000; includeSubDomains" 

To enable HSTS in Nginx:

add_header Strict-Transport-Security max-age=2592000; includeSubdomains

To enable HSTS with IIS web.config:                     

For Cloudflare users

Cloudflare offers free HTTPS to everyone with its Keyless SSL service; Before applying for HSTS preload, you need to know the certificate does not belong to you. Many sites now use SSL certificates because they are a simple way to secure data.

However, Cloudflare now supports the HSTS feature. You can enable all HSTS features, including preloading, through the Cloudflare web interface without the hassle of configuration on the web server.

What is X-Frame-Options?

X-Frame-Options is a security header supported by all modern browsers. X-Frame-Options protects against fake clicks such as Clickjacking. As the name suggests, it is the operation of a vulnerable iframe, or iframe. These are elements on one web page that are embedded into another HTML page within the 'parent' website, so you can use content from other sources on the page. But attackers use iframes under their control to make users perform unwanted activities.

For this reason, you need to prevent attackers from finding iframes on the page.

Location and usage of X-Frame-Options

Some developers are trying to do what X-Frame-Options does via JavaScript. That's not wrong, but it's still risky because there are still holes in the code. Therefore, it is best to leave this task to the Internet browser you use.

However, programmers need to know the following 3 parameters about X-Frame-Options:

1. Deny : Completely prevent pages from being called in any iframe.
2. SAMEORIGIN : Block all domains other than yours from calling in iframes.
3. ALLOW-FROM url : Accepts iframe calls of a URL provided as a parameter. Block the others.

Here is an example of how to use SAMEORIGIN and X-Frame-Options with NGINX, Apache, IIS:

Use X-Frame-Options SAMEORIGIN for Nginx:

add_header X-Frame-Options SAMEORIGIN;

Use X-Frame-Options SAMEORIGIN for Apache:

Header always append X-Frame-Options SAMEORIGIN

Use X-Frame-Options SAMEORIGIN for IIS:              

Simply adding the SAMEORIGIN header will help you better protect your visitors.

What is X-XSS-Protection?

Using X-XSS-Protection information can protect users from XSS attacks. First, you need to eliminate XSS vulnerabilities on the application. Then provide code-based security, with more in-depth measures such as the X-XSS-Protection header.

How to use X-XSS-Protection

Modern browsers can detect XSS payloads by filtering application-generated content. You can enable this feature using the X-XSS-Protection header information.

To enable X-XSS-Protection header in Nginx:

add_header X-Frame-X-XSS-Protection 1;

To enable the X-XSS-Protection header in Apache:

Header always append X-XSS-Protection 1

To enable the X-XSS-Protection header in IIS:                

To block XSS attacked code blocks from running, you can use:

X-XSS-Protection: 1; mode=block

What is X-Content-Type-Options?

Browsers implement a MIME Type Sniffing name parsing process on content served to them by web applications. For example, if there is a query to access a PDF or PNG file, browsers running analysis on the HTTP response will infer the file type.

Consider a file in jpeg format but it actually has Text/HTML content. After using the utility and switching the protections in the upload module, the file was uploaded successfully. The uploaded file is called via URL and MIME Type sniffing returns the result as Text/HTML. It shows the content as HTML. That's when the XSS vulnerability appears.

Therefore, you need to prevent the browser from determining the content using MIME Type sniffing. To do this, you can use nosniff.

Header X-Content-Type-Options for Nginx:

add_header X-Content-Type-Options nosniff;

Header X-Content-Type-Options for Apache:

Header always X-Content-Type-Options nosniff

Header X-Content-Type-Options for IIS:

Above are the things you need to know about HTTP Security Header . Hope the article is useful to you.

Lesley Montoya

Update 28 October 2023