Scan your Website for HTTP Content Security Headers
Find out if your website is at risk and have not enabled the key Content Security Headers.
Scan your HTTP response headers and find out which HTTP response headers you are missing.
Read more about how to deploy the missing HTTP security headers easily.
Scan your site to find out if it has secure headers to restrict and prevent web browsers running avoidable vulnerabilities
Content Security Policy deployed by headers is a strong way to improve the security of your site and protect from XSS attacks.
It can help secure the web browser from loading vulnerable assets from remote sites.
The popular security headers are:
The different Security Headers includes:
The Content Security Policy Security Header can help secure your website from XSS attacks.
You can set whitelisted sources of authorized content.
This way you can make sure the browser do not load dangerous content.
The Security Header allows website security administrator to control resources the user agent can be allowed to load on a given page.
This can help protect against Cross Site Scripting attacks XSS.
X-Frame-Options is used to communicate to the web browser if you want to allow your site to be framed or not.
Preventing the web browser from farming your site to defend against attacks such as clickjacking.
The X-Frame-Options header can be used to if a web browser is allowed to render a page in a <frame>, <object>, or <iframe>.
It is recommended to enable this check in penetration testing process.
Fix by adding to your site: header("X-Frame-Options: SAMEORIGIN");
X-XSS-Protection security header. It allows to enable XSS Cross Site Scripting protection that is included in most modern web browsers.
So this must be enabled.
The most comprehensive header to set is:
"X-XSS-Protection: 1; mode=block".
The HTTP X-XSS-Protection response security header is supported by Safari, Firefox, Internet Explorer IE and Chrome web browsers.
Fix by adding to your site: header("X-Xss-Protection: 1; mode=block");
X-Content-Type-Options Security Header is used to prevent a browser from trying to MIME sniff the sensitive content type & forces the browser to use the declared content-type.
The HTTP Security header can be utilized to set the MIME types.
That are advertised in the Content-Type headers to not be changed.
This can prevent MIME type sniffing.
The header was first introduced by Microsoft in Internet Explorer IE 8 to allows webmasters block content sniffing that could transform non-executable MIME types into executable MIME type.
Other web browsers have introduced it as well.
It is recommended by penetration testing process to expect this header to be set.
Fix by adding to your site: header("X-Content-Type-Options: nosniff");
The Referrer Policy is a newer security header that allows a website to control the amount of information the web browser is sending with navigation away from a document.
It is highly recommended to set on all sites.
The header protects which referrer information sent in Referer requests made.
Fix by adding to your site: header("Referrer-Policy: strict-origin-when-cross-origin,no-referrer");
The HTTP Web Security Header Strict Transport Security is a recommended feature to increase the security on your website and strengthens your implementation of TLS by forcing the User Agent to use HTTPS.
It is often know as HSTS that forces the web site to make the web browsers know it should be accessed only by using HTTPS instead of the insecure HTTP.
Fix by adding to your site: header("Strict-Transport-Security: max-age=31536000; includeSubDomains");
Web Security Headers are a subset of the Web HTTP response headers
When they are sent by the web server to the web browser it allow for specific web applications to tell the web browser to enable and configure specific security related features.
Here the most important Security Headers are presented with information on how to enable them on your site.
It is recommended to enable the security headers on all your web enabled servers for increased security.
What is the impact of not having the Security Headers enabled?
Why is it even important to setting and sending specific security headers to a web browser?
There are several good arguments to enable the Security Headers.
To pass third part Penetration Testing
When deploying third party pen testers the security headers is often a part of becoming compliant.
Various compliance regulations such as GDPR, HIPAA, PCI-DSS are not forcing at the moment but recommends enable and using the security headers.
Quick process to implement the security headers
The security headers can often be easily enabled on most web servers by simple applying a few header lines such as:
header("Content-Security-Policy: block-all-mixed-content; script-src 'self' www.yoursitecom ");
Increased measurable application security level
The Web Security Headers provides an extra layer of defense from attacks.
When implementing the web security headers correctly it can decrease the impact
of other existing vulnerabilities yet to be found on the target web server.
It can help prevent attackers from exploiting vulnerabilities or minimize the impact of exploitation of un patched vulnerabilities.
The security header are backward compatible so they can even work with older browsers that do not support the headers by not breaking any functionality.
It is highly recommended to enable the headers to be future compliant and boosting customer confidence by utilizing all available security measures.
How to easily test your site and find out if your Security Headers are enabled?
It will also come with instructions on how to enable the headers and provide other useful information on how to secure your web site.