What are Security Headers?
These are a set of commands or directives configured for your website or web server. These directives tell the browsers what is allowed and what isn’t allowed for your website in terms of security and code execution. This helps protect the client browsers and also your website, from attacks and malicious code, so it provides all around defense.
More information: Configure HTTP securmyBharatisgreat9ity headers | Deep Security (trendmicro.com)
In this video we’ll walkthrough 8 types of security headers and enable them on the OpenLiteSpeed server.
1) X Frame Options
Adding this Header directive helps avoid click-jacking attacks, and ensures that the website content is not embedded into other sites. Prevents <iframe> tag usage.
Header set X-Frame-Options "sameorigin"
2) Strict Transport Security (HSTS)
Force communication using HTTPS instead of HTTP and informs browsers that the site should only be accessed using HTTPS, and that any future attempts to access it using HTTP should automatically be converted to HTTPS
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
3) Content Security Policy
This is the most comprehensive however it is the one that has to be implemented uniquely for every site. There generally isn’t a one size fits all approach however I found a site that provides a set of rules for WordPress based sites. This helps guard against cross-site scripting attacks
Header set Content-Security-Policy "default-src https:; font-src https: data:; img-src https: data:; script-src https:; style-src https:;"
The header is setting the allowed source(s) for fonts, images, scripts, and styles. For each of these, a secure HTTPS connection is required. The only exception is also to allow data URIs as a source for fonts and images. More Information: https://htaccessbook.com/important-security-headers/#csp
4) X-Content-Type-Options
The header allows you to avoid MIME type sniffing by saying that the MIME types are deliberately configured.
Header set X-Content-Type-Options "nosniff"
5) Referrer Policy
Controls how much referrer information (sent with the Referer header) should be included with requests. This as with CSP will be your preference. I’ll link to documentation that will explain the options but here is one common one.
Header set Referrer-Policy "no-referrer-when-downgrade"
6) Feature Policy / Permissions Policy
Header that allows a site to control which features and APIs can be used in the browser. You can add or modify the options here based on your site’s needs.
Header set Feature-Policy "geolocation 'self'; vibrate 'none'" Header set Permissions-Policy "geolocation=(self), vibrate=()"
7) X Permitted Cross Domain Policies
You can implement this header to instruct the browser on how to handle the requests over a cross-domain. By implementing this header, you restrict loading your site’s assets from other domains to avoid resource abuse
Header set X-Permitted-Cross-Domain-Policies "none"
8) X XSS Protection
‘X XSS Protection header’ helps prevent ‘cross site scripting’ (XSS) attacks. It was primarily for older browsers is unnecessary in modern browsers when you implement a strong Content-Security-Policy. But if your Content Security Policy needs to be adjusted for your specific needs, then it is a good idea to add this regardless.
Header set X-XSS-Protection "1; mode=block"
Video
Links:
https://scotthelme.co.uk/goodbye-feature-policy-and-hello-permissions-policy/
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers
https://help.deepsecurity.trendmicro.com/aws/http-security-headers.html
All videos tutorials on the website as well as the YouTube channel aim to provide a simplified process for a specific scenario; there could be many different factors and unique use cases you may have. The tutorials may not cover every situation; so treat is as a starting point or learning concept to apply to your unique situations, and consider this inspiration but not prescription or explicit direction.
