There are some super simple ways to reduce the security risk of your websites by setting a few HTTP response headers that you might never have heard of.
Modern browsers recognise security focused HTTP headers that can be implemented without needing to make big application changes.
It’s easy too; I made all the websites I manage more secure within an hour!
Adding the HTTP headers
Start by checking your website’s current headers, I used securityheaders.io for this.
Yeah not a great start, but let’s change this… Starting by adding the following:
X-Frame-Options: DENYDenotes if the website can be loaded in a frame. Options include
DENYSAMEORIGINALLOW-FROM uri
X-Content-Type-Options: "nosniff"Prevents the browser from interpreting a file’s MIME type away from the content type. Useful if hosting potentially untrusted content.
X-Xss-Protection: "1; mode=block"IE8 and above have XSS protection turned off by default this re-enables it.
Applying these low risk (unlikely to break the majority of websites) headers will quickly bring it up to a D rating.
These next two can potentially cause issues if done incorrectly but there are ways to mitigate that by running tests first.
Strict-Transport-Security: "max-age=31536000"Asks that all pages be loaded over HTTPS and never HTTP, a rule that will be enforced and only re-checked after a year.
Just make sure that everything on that domain is accessible over HTTPS or set a smaller max-age if you’re unsure. There is a caveat with the initial request so read more about HSTS preload
Content-Security-Policy-Report-Only: default-src https:; script-src https: 'unsafe-inline'; style-src https: 'unsafe-inline'; report-uri https://gears.report-uri.io/r/default/csp/enforceThis one is a bit more involved. The CSP header defines where content can be loaded from, how it should get there and where it can appear.
Since this is a bit more complex I opted for a fairly relaxed Report-Only header that will send a warning message to the report-uri but not block it. Once I’m happy with the rule I will upgrade it to a non-report-only header and continue to iterate until I find the strictest rule that works.
In just under an hour I’m able to implement the major security headers to help protect visitors of these websites!
I recommend testing websites of your own at securityheaders.io. Sign up at report-uri.io to start using their tools to add and report on CSP and HPKP. Both tools are built by security consultant Scott Helme.
For more information about these security headers check out OWASP’s overview.