Skip to content

Latest commit

 

History

History
31 lines (24 loc) · 7.85 KB

03-security-headers.md

File metadata and controls

31 lines (24 loc) · 7.85 KB
Raw
title
The check on https://securityheaders.com/ gives at least a “B” grade

The check on https://securityheaders.com/ gives at least a “B” grade

Description

Securing the website with appropriate HTTP security headers is critical for protecting against various attacks.

  • Testing: Regularly test the site on https://securityheaders.com/ to verify the grade. Adjust configurations as necessary to maintain or improve the grade.
  • Documentation and Compliance: Document these configurations and ensure they comply with industry best practices and organizational security policies.
  • Monitoring: Implement ongoing monitoring to promptly detect and address any changes that could impact the security headers and overall grade.

Recommended values:

Header Value Recommendation Comment
X-Frame-Options DENY
X-XSS-Protection 0 Use Content Security Policy (CSP) instead. Even though this header can protect users of older web browsers that don't yet support CSP, in some cases, this header can create XSS vulnerabilities in otherwise safe websites.
X-Content-Type-Options nosniff
Referrer-Policy strict-origin-when-cross-origin
Content-Type text/html; charset=UTF-8 Although it is recommended to always set the Content-Type header correctly, it would constitute a vulnerability only if the content is intended to be rendered by the client and the resource is untrusted (provided or modified by a user).
Strict-Transport-Security max-age=63072000; includeSubDomains; preload If the HSTS header is misconfigured or if there is a problem with the SSL/TLS certificate being used, legitimate users might be unable to access the website. For example, if the HSTS header is set to a very long duration and the SSL/TLS certificate expires or is revoked, legitimate users might be unable to access the website until the HSTS header duration has expired.
Access-Control-Allow-Origin https://.com Set a specific origins instead of *.
HTTP Cross-Origin-Opener-Policy same-origin
Cross-Origin-Embedder-Policy require-corp You can bypass it for specific resources by adding the crossorigin attribute
Cross-Origin-Resource-Policy same-site
Permissions-Policy geolocation=(), camera=(), microphone=() Disable all the features that your site does not need
Content-Security-Policy Create a CSP for each project CSP should be written for each project/website you create