Security headers are things of the best things you can add to a site to increase the security. They have a low time vs benefit cost, and they can streamline your webapp building process. The majority of this line MageCart can be prevented by spending 20 minutes writing a CSP, for example.
Plus, if you're team then up with something online Report URI (also created by Scott Helme) you'll get notifications when someone makes a change to your webapp which violates the security headers.
And for those of an ASP NET persuasion, I have a middleware component specifically for helping you get started called OwaspHeaders.Core
Good input, Jamie. I can see that quite a lot happened since I originally wrote that post. I also use Report URI now. Maybe I should give the post an overhaul :) Thanks!
I've use Feedify and QR Codes in one post (shortly before the first instance of MageCart), a discussion on OWASP, and how it could ruin your company or brand as examples about why folks should look into this in the past. Especially since it's a relatively easy problem to solve.
I feel like you could make it into a series of posts. Even as someone who knows this stuff and how to implement it, I'd love to read a series where the author goes from "here's the theory" through "here's my initial plan", to "here's why my assumptions were wrong" (because with CSP, they will be) to "here's the finished headers for my site".
A lot of folks who write about headers tend to focus on the first and last step here, but devs need to know that the middle part is hard. Maybe you could cover that, or nominate someone to do so. Maybe I'll take a whack at it with an app for one of my clients 😉
Very detailed post with so much information around http headers in .net runtime applications, thanks a lot
Thanks this is very useful, I've not seen this site before so will certainly be using it!!
Thanks. Appreciate the feedback :)
We're a place where coders share, stay up-to-date and grow their careers.
We strive for transparency and don't collect excess data.