There are millions of websites around the globe that are publicly available. Due to this public availability of websites they have become an active targets for hackers. Hence website owners are constantly trying to understand the threat landscape and develope solutions for threats mitigation. HTTP Security Headers provide mitigation solutions of various threats including cross site scripting, click jacking, code injection and drive by downloads attacks etc. This article will describe the most used HTTP security headers, their methodology of threat mitigation and their configuration guides for Apache and NGINX web-servers. List of HTTP Security Headers that are covered in this article: Content Security Policy (CSP) >X-XSS-Protection X Frame Options X Content Type Options HTTP Public Key Pins (HPKP) HTTP Strict Transport Security (HSTS) Content Security Policy (CSP) Overview The web browsers trust all the contents of a website including its web pages, style sheets, fonts and java script files etc. Due to this trust relationship the browsers loads and executes all the content of a website without any content authentication. This browser behavior can be exploited by hackers in running
Share This