Website header values can hold a wide variety of different data, defined by either the HTTP protocol or the recipient (in the case of requests to a server). Security headers are special header values that are defined to provide protection against certain threats. The HTTP protocol has a number of built-in security headers, and website owners can also define their own custom headers. However, security headers are typically disabled by default, leaving the responsibility of enabling them to website owners.
How HTTP security headers increase website security
HTTP security headers are designed to protect against a wide range of common web attacks. Some examples of threats that can be mitigated using security headers include cross-site scripting attacks, drive-by malware downloads, and cross-site request forgery (CSRF) attacks.
This is possible because security headers are designed to limit some of the dangerous functionality built into web protocols. For example, websites have the ability to embed content from external sources, which could include malicious code. HTTP security headers can be used to limit the sources of embedded content, decreasing the risk of this external malicious code.
Without security headers, the full functionality of HTML is available to a site for better or for worse. This exposes a website to common threats, such as XSS or CSRF. Enabling security headers cuts down on these risks, protecting both organizations and their customers.
The most important security headers to enable on your site
The HTTP protocol is designed to include a great deal of flexibility. Web developers can create their own custom headers to provide certain functionality. For example, a common custom header is one that protects against cross-site request forgery attacks. To be successful, a CSRF attack needs the ability to build a valid URL that takes some action on a certain page (such as changing a user’s password). The goal is to force the user’s browser to visit that URL, taking the action on the user’s behalf. Custom CSRF headers use random, single-use values to make this type of attack infeasible because an attacker can’t guess the random value in advance.
However, in addition to the ability to build custom headers, the HTTP protocol also defines a number of security headers. Enabling these security headers provides a user’s browser with guidance on how best to protect its users against attack. Some of the most important security headers place limitations on the content contained within the webpage, making it harder for an attacker to embed and use malicious content in a legitimate webpage.
Most web pages get their content from a variety of different pages. When a browser reads the HTML code of a site, it likely sees instructions to pull content from other places as well. This can include images, scripts, and other parts of the page. The final content of the page is pieced together from all of these different sources.
While this approach has its benefits, it also creates security risks. If an attacker can modify the HTML of a webpage, they can tell it to pull malicious content from servers under their control. This could allow them to run malicious code within the user’s browser to steal sensitive data or perform cryptojacking. The Magecart hacking group specializes in webskimming attacks, where malicious code is inserted into payment pages to steal copies of the credit and debit card data entered by visitors.
The Content-Security-Policy header limits the places where a browser can load content from. If malicious content within a page tries to load content from other sources, the request will be blocked, protecting against cross-site scripting and similar code injection attacks.
Content-Security-Policy: script-src 'self'
HTTP Strict Transport Security (HSTS)
The HTTP protocol defines how clients and servers communicate when users browse the web. However, this protocol does not incorporate any security protections. All data is transmitted in plaintext, making it possible for an eavesdropper to read or modify the data without detection.
The HTTPS protocol fixes this problem by wrapping HTTP traffic in encryption using the TLS protocol. This not only protects against eavesdropping but also authenticates the identity of the server, protecting against phishing attacks.
Many modern web browsers use HTTPS by default, but it is still possible to use insecure HTTP when browsing the web. The HSTS security header enforces the use of HTTPS, making it impossible to use the insecure version of HTTP.
Strict-Transport-Security: max-age=31536000 ; includeSubDomains
A website can include a variety of different types of content. A basic web page may include HTML to define its structure, CSS for style information, and scripting for interactivity. However, pages may also include media content (images, videos, etc.), downloadable files, and more.
These various types of content pose different levels of risks to the website’s visitors. Content that includes executable code, such as embedded scripts or downloadable executables can allow a web page to deliver malware to a user’s computer.
The content within a web page can have incorrect content type labels. Browsers can perform MIME type sniffing to automatically determine the correct MIME type of a piece of content based on its contents, which can cause content labeled as non-executable to be correctly interpreted as an executable. This support for MIME type sniffing can allow malicious code to sneak past filters that rely upon the correctness of content type labels.
The X-Content-Type-Options header makes it possible to disable MIME type sniffing for a webpage. It states that content labels should be followed, reducing the risk of drive-by downloads and ensuring that content on the site is correctly interpreted.
Clickjacking attacks are designed to trick users into clicking on malicious or fraudulent content. This may be intended to install malware or provide additional revenue to website owners serving advertisements.
One way to perform clickjacking is to use iframes to embed your content within a malicious site. The X-Frame-Options limits which sites can embed your content. For example, a site may specify that its content should not be loaded within an iframe on any site, or limit the sites to a specific list.
Track your security headers with Halo Security
HTTP security headers can be used to provide information regarding the content of a webpage or to carry instructions about how a browser should treat a webpage. Enabling them can dramatically improve the security of a website, but since they are optional, it is easy to forget to enable them for a particular website or web page.
For organizations with lots of websites and applications, it’s even more difficult to ensure consistent usage of the HTTP security headers. Halo Security’s Website Monitoring can help to ensure that an organization’s web pages are protected against an attack by monitoring the activity of these pages to check that applicable security headers are enabled. These headers are an essential part of protecting against XSS, CSRF, and other threats to website security.
Editor's note (Oct 2022): This article was originally posted on the TrustedSite blog in May 2021. It has been updated for the Halo Security blog.