Hello, friends today we will learn about HTTP Security Header. There are a lot of things to consider while securing our website or web applications. HTTP Security Header is one of the best options. Implementing of HTTP Security Header is very easy on the server.
HTTP Security Header provides another level of security by minimizing attacks and security vulnerabilities. So, today we will explore vital securities and try to understand what they are and how to implement.
What are HTTP Security Headers?
When users visit a website on a browser(Google Chrome, Microsoft Edge etc..) they request a page from the web server. Then web server responds to the browser request with content along with HTTP Security Headers which contains Metadata. These Headers tell browsers how to behave while handling website content coming from the server. We can use these Security Headers to outline communication and improve web securities. Let’s take a look at the three vital Security Headers which protect our websites.
- X-Content-Type: nosniff
1. Security Headers: X-XSS-Protection
Security Headers X-XSS-Protection stands for Cross-Site Scripting Protection and it is designed to improve the security of our websites against XSS (cross-site scripting) attacks. You can enable it by modifying your Apache settings or .htaccess file by adding the following line to it:
<IfModule mod_headers.c> Header set X-XSS-Protection "1; mode=block" </IfModule>
2. Security Headers: X-Frame-Options
Security Headers X-Frame-Options is designed to improve the security of our websites against ClickJacking attacks. It is supported by all browsers and prevents an attacker from iframing the content of your site into others. You can enable it by modifying your Apache settings or .htaccess file:
<IfModule mod_headers.c> Header always append X-Frame-Options SAMEORIGIN </IfModule>
3. Security Headers: X-Content-Type: nosniff
Security Headers X-Content-Type: nosniff is designed to improve the security of our websites(and website users) and helps to reduce the danger of drive-by downloads and helps treat the content in right way. You can enable it by modifying your Apache settings or .htaccess file:
<IfModule mod_headers.c> Header set X-Content-Type-Options nosniff </IfModule>
By implementing these security headers we can protect our website from suspicious attacks