---
title: Http Security Headers
categories: [cheatsheets]
tags: [security, pentesting]
---
# HTTP Security Header

6 Important HTTP Header for security.

## 1) content-security-policy:

defining sources where content is allowed to be loaded from.

Eg. `content-security-policy: script-src: 'self'`

More Info:

https://www.keycdn.com/support/content-security-policy/

## 2) X-XSS-Protection

Tells the Browser to use the browsers XSS Filter an all input:
`x-xss-protection: 1; mode=block`

## 3) X-content-type protection

Important header for content-type sniffing, a browser can "sniff" the content type of a loaded resource,
eg a .png file could contain some javascript code, the browser detects the JS and executes the png file as script file.

this can be disabled by:
`x-content-type: nosniff;`

## 4) HTTP Strict Transport Security (HSTS)

HSTS tells the browser to enforce a https connection on the next visit. so when a user enters a site,
the browser knows to use the https protocol, this mitigates ssl stripping attacks.

`strict-transport-security: max-age=31536000; includeSubDomains; preload`

## 5) HTTP Public Key Pinning (HPKP)
this is used to pin a specific public key (from the certifcat) to the webserver,
this prevents other ca's from issuing a new certificate for your domain, eg. when a root CA is compromised.

`public-key-pins: pin-sha256:"publickey_in_base64"`

## 6) X-Frame-options
this header provides clickjacking protection, by not allowing iframes to load on this site.

`x-frame-options: SAMEORIGIN`