SSL secure headers for improved web security
SSL (Secure Sockets Layer) secure headers are HTTP response headers that instruct browsers on how to handle the site's content, helping to protect against various types of attacks, such as cross-site scripting (XSS), clickjacking, and other code injection attacks. This guide will walk you through the recommended SSL secure headers and how to check your current configuration.
For detailed instructions, refer to OWIN Web API server.
Recommended SSL secure headers
HTTP Strict Transport Security (HSTS)
- Purpose: Ensures that browsers only connect to the site over HTTPS, preventing man-in-the-middle attacks.
- Header: Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
X-Content-Type-Options
- Purpose: Prevents browsers from interpreting files as a different MIME type, which can help prevent drive-by download attacks.
- Header: X-Content-Type-Options: nosniff
X-XSS-Protection
- Purpose: Enables the cross-site scripting (XSS) filter built into most browsers.
- Header: X-XSS-Protection: 0
Content-Security-Policy (CSP)
- Purpose: Helps prevent XSS attacks by specifying which dynamic resources are allowed to load.
- Header: Content-Security-Policy: default-src 'self';
Checking secure headers
There are dedicated tools to check for secure headers. However, you can simply run this script in PowerShell to see the current configuration:
(invoke-webrequest https://theWebsite.com/).headers
Be aware that there may be network components, such as proxies or load balancers, between you and the inventory server. These components can modify or add headers to the HTTP response. As a result, the headers you see might belong to these intermediate components rather than the inventory server itself
