What are HTTP security headers and why should you implement them?

July 22, 2019

HTTP security headers are a fundamental part of website security. Believe it or not, hardly anyone implements them! Check your site for free here and you may find you have no security headers activated at all! It doesn’t cost anything to implement and once implemented they protect you against most types of attacks your site is most likely to come across such as code injection, clickjacking, XSS and more.

What are HTTP security headers?

When a customer visits your site through their phone or computer, your web server responds with what we call HTTP response headers. These simply tell your customers device how to behave when communicating with your website.

These headers can the configured to improve security of your website.

Which headers should I configure?

There are many headers you can configure however we will focus on these 5 we strongly recommend you implement.

X-Frame-Options

This header tells the browser whether you allow your site to be frame or not. Preventing this will defend your site against attacks such as ‘clickjacking’ which is a way of tricking a user to click and communicate with something masquerading as your website.

Set this to ‘Deny’ or ‘Sameorigin’. Deny prevent all website frame attempts whereas Sameorigin allows your own website to use frames of itself.

X-XSS-Protection

This protects against Cross-Site Scripting attacks. These attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. This is usually enable by default anyway but setting this header will re-enable this for your website if it was disable by the user.

The best configuration for this is “X-XSS-Protection: 1;mode=block”

X-Content-Type-Options

The X-Content-Type header protects against MIME sniffing. MIME sniffing is a way of inspecting the files on your website which can then be fakes. This opens your site up to scripting attacks.

This should be set to ‘nosniff’

Strict-Transport-Security

This forces the website to load over secure HTTPS and not HTTP and defends against Man-in-the-middle attacks. Your site will require an SSL certificate for this which is a must have in 2019. There’s no need to pay for an SSL certificate either. Our hosting comes with free SSL certificates or you can use services such as Cloudflare.

We recommend this header should be set to “max-age=16070400; includeSubDomains”

Referrer-Policy

This is a fairly new header that allows your website to control how much information is passed on when a user clicks a link away from your site.

We recommend setting this to “same-origin” which will only send information to your own site.

How do I implement these security headers on my site?

It is best to contact your host to implement these as incorrect changes to website configuration files can bring a website down very quickly.

This website has very good instructions if you wish to implement them yourself. As with all changes, backup your site before hand!

If you are hosted with us, good news! These are already configured by default. If you’d like to migrate to us, please contact us and we’d be happy to discuss.

Related Posts

Google will soon read websites to you!

Google will soon read websites to you!

Google announced during CES 2020 on Tuesday (7th Jan 2020) that Google Assistant will soon be able to read websites back to you. This could offer easier access to information for people who are visually impaired. If the website is in a foreign language, it’ll...

Urgent Divi Theme Security Update

Urgent Divi Theme Security Update

The developers of the Divi WordPress theme Elegant Themes have released an urgent security patch to fix a recently discovered vulnerability. The Problem A code injection vulnerability was discovered by the Elegant Themes team during a routine code audit that could...

10 Cyber Security Tips For Small Businesses

10 Cyber Security Tips For Small Businesses

Did you know that 72% of cyber-attacks are against businesses with less than 100 employees? The headlines often only highlight major data breaches in large corporations but the truth is that the vast majority of hacks are against small businesses. Small businesses are...