About
In HTTP, the security is done via the setting of:
- response header known as security header that drives the execution of the browser page load
- cookies properties mostly samesite that control if the cookies should be sent back by the browser.
Elements of HTTP security
Header
response HTTP header that control the browser and have an effect on security:
- Content-Security-Policy (CSP): to prevent cross-site scripting (XSS), clickjacking and other code injection attacks resulting from execution of malicious content in the trusted web page context
- X-Frame-Options: No frame to avoid clickjacking
X-Frame-Options: SAMEORIGIN
- Strict-Transport-Security: HTTP - Strict Transport Security (HSTS) - mandatory HTTPS: uses only https
- X-Content-Type-Options: Stops the browser from trying to MIME-sniff the content type and forces it to stick with the declared content-type
X-Content-Type-Options: nosniff
- X-XSS-Protection header. Using the default behavior, the browser will prevent rendering of the page when a Cross-site scripting (XSS) attack is detected, 1)
X-XSS-Protection: 1; mode=block
- X-Robots-Tag header. Stops search engine to index the pages. 2)
X-Robots-Tag: none
- Referrer-Policy: HTTP - Referrer-Policy Header (to not leak private url)
- Permissions-Policy: This header allows you to control which features and APIs can be used in the browser. It was previously named Feature-Policy. You can view the full list of permission options here.
Permissions-Policy: camera=(), microphone=(), geolocation=(), interest-cohort=()
- CORS headers controls the execution of cross-request created by javascript in the browser (ie embedded in a page)
Cookie
The samesite and cookie scope controls where the browser sends the cookie back (in a cross origin context or not)