HTTP headers to improve website security

Website security and how to improve it

In this article, I will go through how you can improve the security of your website by changing the HTTP Headers settings. Editing HTTP headers should be done at the server level, and a modern web hostingcompany should do this for you without asking. Settings can also be edited with this WordPress plugin.

Mozilla offers a free and powerful tool that allows you to test before and after setting your preferences to see how your site's security is improved. https://observatory.mozilla.org/

1. Content Security Policy

The Content Security Policy setting helps you to prevent so-called Cross Site Scripting (XSS) attacks, which are attempts to inject malicious code into your website. The attack is attempted, for example, on pages with a login option. After a successful attack, a hacker can get hold of the credentials of the people who log in. Content Security Policy The HTTP Security Header setting blocks all traffic from external servers. It is therefore important that you give permission to trusted sources in the Content Security Policy.

Example of Content Security Policy setting in NGINX or Apache web server settings

content-security-policy: script-src 'self' https://www.google-analytics.com

2. HTTP Strict Transport Security (HSTS)

Even if a website has an HTTPS:// address and an SSL certificate from a trusted third party, it does not automatically mean that the website is secure. It is therefore important that you check yourself, or ask your web host to check the HTTP header settings, to make your website more secure. HTTP Strict Transport Security, or HSTS, forces all webpage traffic to pass through an HTTPS connection. This way, your customers won't accidentally shop online through an insecure connection, for example.

Example of HTTP Strict Transport Security (HSTS) setting in NGINX or Apache web server settings.

strict-transport-security: max-age=31536000; includeSubDomains; preload

3. X-Frame options

Clickjacking is a technique for getting web users to give up their information while they browse a secure website. For example, a clickjacking attack can be used to open a user's microphone and webcam. iFrame elements are exploited in this attack. So it's a good idea to prevent iFrames from being drawn to your website from external sources

Deploy on a Nginx web server:

add_header x-frame-options "SAMEORIGIN" always;

Deploy on an Apache web server:

header always set x-frame-options "SAMEORIGIN"

4. X-XSS protection

The X-XSS-Protection setting sets the so-called. cross-site scripting (XSS) filter. This feature is already available on updated web browsers, but as a webmaster it is good practice to force this feature on.

Enable on a Nginx web server

add_header x-xss-protection "1; mode=block" always;

Deploy on an Apache web server:

header always set x-xss-protection "1; mode=block"

5. X-Content-Type-Options

MIME Sniffing is an attack that, in the worst case, can be used to upload malicious content to a website with a file download form that is open to users. The X-Content-Type-Options setting prevents Internet Explorer and Google Chrome from MIME sniffing downloaded files.

Enable on a Nginx web server

add_header X-Content-Type-Options "nosniff" always;

Deploy on an Apache web server:

Header always set X-Content-Type-Options "nosniff"

Website security in general

Website security is the responsibility of every website operator. Achieving a good level of security can seem challenging, but everyone should play their part in making websites more secure. It is a good idea to start at the service level. When your website server is up and running, the security of your website is improved at the same time. You may be using a shared web hosting, in which case you have little control over how the service administrator takes responsibility for the security of the server. However, it is your responsibility to choose a good home for your website.

Written by Tuomas
Yrittäjä @ Tuonetti
Strong Finnish Internet Partner
© 2023 Tuonetti - All rights reserved.