Most of the security vulnerabilities can be corrected by implementing specific headers in the server response header. HTTP security headers present yet another tier of security by helping to mitigate intrusions and security vulnerabilities.
We will examine some of them to help you better know their purpose and how to implement them.
Whenever a browser requests a page from any web server, the server responds with the content along with HTTP response headers. These HTTP security headers tell the browser how to behave while handling the website content.
The Content Security Policy header implements an additional layer of security. This policy helps prevent attacks such as Cross-Site Scripting (XSS) and other code injection attacks by limiting content sources that are approved and thus permitting the browser to load them.
The X-Frame-Options HTTP response header is used to indicate if a browser is permitted to execute a page in a “frame”, “iframe” or “object” HTML tag. Sites and applications can use this to dodge clickjacking attacks, by ensuring their content cannot be embedded into other sites.
X-XSS-Protection header is intended to protect against Cross-Site Scripting attacks.
The X-Content-Type-Options header is used to indicate that the MIME types recorded in the Content-Type headers should not be changed. This protects you from MIME type sniffing.
A Strict Transport Security header (HSTS) enables the application to inform browsers that it should be only accessed using HTTPS instead of HTTP.
If the website or application allows connection through HTTP before redirecting to HTTPS, visitors can communicate with the non-encrypted version of the site before the redirect which creates an opportunity for man-in-the-middle attacks.
Upon the first interaction with a website, the browser won’t be aware of an HSTS Policy for the host, therefore the initial communication is taking place over HTTP.
To resolve this problem, browsers contain a preloaded list of sites that are configured for strict transport security. HSTS is generally set to a “max-age” value that is high enough to keep the website cached in the HSTS account for the entire duration that is specified.
A more detailed version with implementation on different servers with graphical representation is published at : https://beaglesecurity.com/blog/blogs/2020/06/27/Hardening-server-security-by-implementing-security-headers.html