# HTTP security headers


X-XSS-Protection: 0; // no protection
X-XSS-Protection: 1; // filters xss but renders the page
X-XSS-Protection: 1; mode=block // blocks the page

Protection against reflected xss.

Content Security Policy

Content-Security-Policy: <policy>

Protection against xss. Controls what resources are allowed to load.

HTTP Strict Transport Security (HSTS)

Strict-Transport-Security: max-age=<expire-time>
Strict-Transport-Security: max-age=<expire-time>; includeSubDomains
Strict-Transport-Security: max-age=<expire-time>; preload // Use a preload list

Connections to the site will use HTTPS, except the first one, if preload is not used.

HTTP Public Key Pinning (HPKP)

Public-Key-Pins: pin-sha256=<base64>; max-age=<expireTime>;
Public-Key-Pins: pin-sha256=<base64>; max-age=<expireTime>; includeSubDomains
Public-Key-Pins: pin-sha256=<base64>; max-age=<expireTime>; report-uri=<reportURI>

Dynamic pinning. Check if the certificate matches the pins stored.


X-Frame-Options: DENY // No one can put the page in an iframe
X-Frame-Options: SAMEORIGIN // Only from the same site
X-Frame-Options: ALLOW-FROM https://example.com/

Avoids clickjacking attack.


X-Content-Type-Options: nosniff;

Solves the "MIME sniffing" problem.


Referrer-Policy: <policy>

Allows you to specify when the browser will set a referer header

Cookies Options

Set-Cookie: <key>=<value>; Expires=<expiryDate>; Secure; HttpOnly; SameSite=strict
// Secure: only sent over HTTPS
// HttpOnly: can not be accessed from javascript
// SameSite: lax or strict. Defends against Cross-Origin Request Forgery (CSRF)



No comments: