Home Explore Help
Sign In
msc
/
cheatsheets
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Branch: master
Branches Tags
cheatsheets
/
cheatsheets
/
security
/
pentesting
/
http_security_headers.md

http_security_headers.md 1.5 KB
Permalink History Raw

title: Http Security Headers categories: [cheatsheets]

tags: [security, pentesting]

HTTP Security Header

6 Important HTTP Header for security.

1) content-security-policy:

defining sources where content is allowed to be loaded from.

Eg. content-security-policy: script-src: 'self'

More Info:

https://www.keycdn.com/support/content-security-policy/

2) X-XSS-Protection

Tells the Browser to use the browsers XSS Filter an all input: x-xss-protection: 1; mode=block

3) X-content-type protection

Important header for content-type sniffing, a browser can "sniff" the content type of a loaded resource, eg a .png file could contain some javascript code, the browser detects the JS and executes the png file as script file.

this can be disabled by: x-content-type: nosniff;

4) HTTP Strict Transport Security (HSTS)

HSTS tells the browser to enforce a https connection on the next visit. so when a user enters a site, the browser knows to use the https protocol, this mitigates ssl stripping attacks.

strict-transport-security: max-age=31536000; includeSubDomains; preload

5) HTTP Public Key Pinning (HPKP)

this is used to pin a specific public key (from the certifcat) to the webserver, this prevents other ca's from issuing a new certificate for your domain, eg. when a root CA is compromised.

public-key-pins: pin-sha256:"publickey_in_base64"

6) X-Frame-options

this header provides clickjacking protection, by not allowing iframes to load on this site.

x-frame-options: SAMEORIGIN