Description
Security headers are HTTP response headers that tell browsers how to behave when handling your site's content. Missing or misconfigured headers can leave your site vulnerable to various attacks.
Headers like Content-Security-Policy (CSP), X-Frame-Options, and Strict-Transport-Security (HSTS) provide defense-in-depth protection against common web attacks including XSS, clickjacking, and man-in-the-middle attacks.
While not directly exploitable vulnerabilities, missing security headers remove important browser-level protections that could prevent or mitigate attacks.
Potential Impact & Risks
- Cross-Site Scripting (XSS) attacks
- Clickjacking and UI redressing
- Man-in-the-middle attacks
- MIME-type sniffing attacks
- Information disclosure
- Reduced defense-in-depth
Remediation
Essential Security Headers
1. **Content-Security-Policy (CSP)**:
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'
Prevents XSS by controlling resource loading
2. **Strict-Transport-Security (HSTS)**:
Strict-Transport-Security: max-age=31536000; includeSubDomains
Forces HTTPS connections
3. **X-Frame-Options**:
X-Frame-Options: DENY
Prevents clickjacking attacks
4. **X-Content-Type-Options**:
X-Content-Type-Options: nosniff
Prevents MIME-type sniffing
5. **Referrer-Policy**:
Referrer-Policy: strict-origin-when-cross-origin
Controls referrer information
6. **Permissions-Policy**:
Permissions-Policy: camera=(), microphone=(), geolocation=()
Controls browser feature access
Code Examples
// Express.js example:
const helmet = require("helmet");
app.use(helmet());
// Or manually:
app.use((req, res, next) => {
res.setHeader("Content-Security-Policy", "default-src 'self'");
res.setHeader("X-Frame-Options", "DENY");
res.setHeader("X-Content-Type-Options", "nosniff");
res.setHeader("Strict-Transport-Security", "max-age=31536000");
res.setHeader("Referrer-Policy", "strict-origin-when-cross-origin");
next();
});
// Nginx configuration:
add_header Content-Security-Policy "default-src 'self'" always;
add_header X-Frame-Options "DENY" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Strict-Transport-Security "max-age=31536000" always;