What are HTTP security headers and why should you implement them?
HTTP security headers are a fundamental part of website security. Believe it or not, hardly anyone implements them! Check your site for free here and you may find you have no security headers activated at all! It doesn’t cost anything to implement and once implemented they protect you against most types of attacks your site is most likely to come across such as code injection, clickjacking, XSS and more.
What are HTTP security headers?
When a customer visits your site through their phone or computer, your web server responds with what we call HTTP response headers. These simply tell your customers device how to behave when communicating with your website.
These headers can the configured to improve security of your website.
Which headers should I configure?
There are many headers you can configure however we will focus on these 5 we strongly recommend you implement.
This header tells the browser whether you allow your site to be frame or not. Preventing this will defend your site against attacks such as ‘clickjacking’ which is a way of tricking a user to click and communicate with something masquerading as your website.
Set this to ‘Deny’ or ‘Sameorigin’. Deny prevent all website frame attempts whereas Sameorigin allows your own website to use frames of itself.
This protects against Cross-Site Scripting attacks. These attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. This is usually enable by default anyway but setting this header will re-enable this for your website if it was disable by the user.
The best configuration for this is “X-XSS-Protection: 1;mode=block”
The X-Content-Type header protects against MIME sniffing. MIME sniffing is a way of inspecting the files on your website which can then be fakes. This opens your site up to scripting attacks.
This should be set to ‘nosniff’
This forces the website to load over secure HTTPS and not HTTP and defends against Man-in-the-middle attacks. Your site will require an SSL certificate for this which is a must have in 2019. There’s no need to pay for an SSL certificate either. Our hosting comes with free SSL certificates or you can use services such as Cloudflare.
We recommend this header should be set to “max-age=16070400; includeSubDomains”
This is a fairly new header that allows your website to control how much information is passed on when a user clicks a link away from your site.
We recommend setting this to “same-origin” which will only send information to your own site.
How do I implement these security headers on my site?
It is best to contact your host to implement these as incorrect changes to website configuration files can bring a website down very quickly.
This website has very good instructions if you wish to implement them yourself. As with all changes, backup your site before hand!
If you are hosted with us, good news! These are already configured by default. If you’d like to migrate to us, please contact us and we’d be happy to discuss.