HTTP - Security Headers

HTTP - Security Headers

About

In HTTP, the security is done via the setting of response header known as security header. They drives the execution of the browser page load

response HTTP header that control the browser and have an effect on security:

Content-Security-Policy (CSP): to prevent cross-site scripting (XSS), clickjacking and other code injection attacks resulting from execution of malicious content in the trusted web page context
X-Frame-Options: No frame to avoid clickjacking
Strict-Transport-Security: HTTP - Strict Transport Security (HSTS) - mandatory HTTPS: uses only https
X-Content-Type-Options: Stops the browser from trying to MIME-sniff the content type and forces it to stick with the declared content-type

X-Content-Type-Options: nosniff

Referrer-Policy: HTTP - Referrer-Policy Header (to not leak private url)
Permissions-Policy: This header allows you to control which features and APIs can be used in the browser. It was previously named Feature-Policy. You can view the full list of permission options here.

Permissions-Policy: camera=(), microphone=(), geolocation=(), interest-cohort=()

Tools

https://securityheaders.com/

Documentation / Reference

https://nextjs.org/docs/advanced-features/security-headers

Recommended Pages

HTTP - Content security policy (CSP)

CSP is a security response header that define the behaviors that are trusted in your HTML page. CSP can be used to detect and mitigate against the effects of certain attacks, such as: Cross Site Scr "...

HTTP - Referrer-Policy Header

The referrer policy is a security response header that modifies the algorithm used to populate the Referer header when: fetching subresources, prefetching, or performing navigations. referrerpolicy "...

Web - Security

in a Web app By Technology Email Dmarc By Attack Cross-site Scripting ... Tools s-rah/onionscanonionscan Burp Burp Suite (Java based) Burp Suite "...

Share this page: