Tips to secure Http Headers

By default, a lot of security flaws are introduced when you create a website. A few HTTP headers added in your web server configuration can prevent basic but powerful attacks on your website and how you can protect your website from: clickjacking, MIME sniffing attack, Protocol downgrade attack, and reflective XSS.

1.X-FRAME-OPTIONS
How does it work?

A common threat to websites is clickjacking. A clickjacking attack wants to make you click wherever the attacker wants you to click. Basically, the attacker brings the user to a malicious page. However, the malicious page is hidden behind an innocent/trustworthy page, introduced in the malicious website with an iframe. The user is tricked into clicking on the regular page but he or she actually clicks on the malicious page. From this, the attacker can achieve whatever malicious action.

How to prevent clickjacking on your website ?

The X-FRAME-OPTIONS header tells the browser if another website can put your page in an iframe.

  • Setting its value to DENY will tell the browser to never put your page into an iframe.
  • Setting its value to SAMEORIGIN will tell the browser to never do it except where the host website is the same as the target website.

In most cases, you will want to add this line to your NGINX configuration file:

add_header X-Frame-Options "DENY";

For Apache web server you can add:

Header set X-FRAME-OPTIONS "DENY"

2. X-Content-Type-Options
How does it work?

When your browser loads a file, it reads the Content-Type header to determine which type it is. If you want to display an image on your webpage, you will generally write this in an HTML page:

<img src="https://example.com/some-image"></img>

What if the some-image file is HTML instead? If your browser is MIME sniffing the file, it will inspect the content of this file, detect that this is HTML and render the HTML content, along with JavaScript included in the HTML. This means that a user can upload an image with HTML and JavaScript as the content, this JavaScript could be executed on any user displaying this fake image.

How to prevent MIME sniffing on your website?

The X-Content-Type-Options header tells the browser if it should sniff files or not.

Setting its value to nosniff will tell the browser to never sniff the content of a file. The browser will only use a file if its Content-Type matches the HTML tag where it is used, and fails otherwise.

Here is the line to add in your NGINX configuration file:

add_header X-Content-Type-Options "nosniff";

For Apache web server you can add:

Header set X-Content-Type-Options "nosniff"

3. Strict-Transport-Security
How does it work?

If you don’t know yet, HTTPS is already a huge step towards improving the security of your website. However, when visiting a website, your browser will usually try to connect over HTTP, and once the server tells that it supports HTTPS, will upgrade to a secure connection. This represents an issue as a malicious person can intercept this insecure HTTP connection: it is known as a protocol downgrade attack.

How to prevent protocol downgrade attack on your website?

There are several ways to prevent this attack. The Strict-Transport-Security HTTP header (known as HSTS) tells the browser to connect directly with HTTPS to the website. This should be done through a redirection on your server from HTTP to HTTPS. A recommended lifetime for the HSTS header is 1 year and should include subdomains.

Here is the line to add in your NGINX configuration file:

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";

For Apache web server you can add:

Header set Strict-Transport-Security "max-age=31536000; includeSubDomains"

Above are some of the measures you can take when you want to secure your website. If you haven't taken these measures, its never too late. A secure website makes for secure browsing.

To get more information on how you can secure your cyberspace, connect with our further blogs. Safe browsing.