What are HTTP security headers and why should you implement them?

July 22, 2019

HTTP security headers are a fundamental part of website security. Believe it or not, hardly anyone implements them! Check your site for free here and you may find you have no security headers activated at all! It doesn’t cost anything to implement and once implemented they protect you against most types of attacks your site is most likely to come across such as code injection, clickjacking, XSS and more.

What are HTTP security headers?

When a customer visits your site through their phone or computer, your web server responds with what we call HTTP response headers. These simply tell your customers device how to behave when communicating with your website.

These headers can the configured to improve security of your website.

Which headers should I configure?

There are many headers you can configure however we will focus on these 5 we strongly recommend you implement.

X-Frame-Options

This header tells the browser whether you allow your site to be frame or not. Preventing this will defend your site against attacks such as ‘clickjacking’ which is a way of tricking a user to click and communicate with something masquerading as your website.

Set this to ‘Deny’ or ‘Sameorigin’. Deny prevent all website frame attempts whereas Sameorigin allows your own website to use frames of itself.

X-XSS-Protection

This protects against Cross-Site Scripting attacks. These attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. This is usually enable by default anyway but setting this header will re-enable this for your website if it was disable by the user.

The best configuration for this is “X-XSS-Protection: 1;mode=block”

X-Content-Type-Options

The X-Content-Type header protects against MIME sniffing. MIME sniffing is a way of inspecting the files on your website which can then be fakes. This opens your site up to scripting attacks.

This should be set to ‘nosniff’

Strict-Transport-Security

This forces the website to load over secure HTTPS and not HTTP and defends against Man-in-the-middle attacks. Your site will require an SSL certificate for this which is a must have in 2019. There’s no need to pay for an SSL certificate either. Our hosting comes with free SSL certificates or you can use services such as Cloudflare.

We recommend this header should be set to “max-age=16070400; includeSubDomains”

Referrer-Policy

This is a fairly new header that allows your website to control how much information is passed on when a user clicks a link away from your site.

We recommend setting this to “same-origin” which will only send information to your own site.

How do I implement these security headers on my site?

It is best to contact your host to implement these as incorrect changes to website configuration files can bring a website down very quickly.

This website has very good instructions if you wish to implement them yourself. As with all changes, backup your site before hand!

If you are hosted with us, good news! These are already configured by default. If you’d like to migrate to us, please contact us and we’d be happy to discuss.

Related Posts

Ahrefs Launch Webmaster Tools & It’s Free!

Ahrefs Launch Webmaster Tools & It’s Free!

You can now improve your website’s SEO performance and get more traffic from search results using data from one of the leading SEO data agencies Ahrefs. And best of all, it’s free for website owners! Ahrefs is one of the more premium SEO products out there used by...

Join Our Affiliate Scheme

Join Our Affiliate Scheme

Would you like to earn a nice easy £10 for each customer you refer to us that takes out a hosting package? Who wouldn't! Many of our customers already recommend our services to others due to our superior hosting services and excellent customer support. We're now...

Keeping your small business secure online

Keeping your small business secure online

It takes years to build up your reputation but just one small cyber-attack can bring this crashing down in just a few minutes. The most common type of attack are Ransomware attacks. Ransomware Attacks Ransomware attacks and user data breaches are the most common...