What exactly are HTTP Security Headers and how do they help secure a website?
HTTP Security Headers are special pieces of information that a web server transmits to the browser along with a web page. They give the browser instructions on how to load, display, or block content. This significantly reduces typical security risks such as man-in-the-middle attacks, clickjacking, or the injection of malicious code. With the right security headers, the protective layer of a website can be specifically strengthened – without the user noticing.
How can you set HTTP Security Headers?
HTTP security headers can be set in three different ways:
- via an HTML meta tag in the HTML code
- via a server-side scripting language
- via direct configuration of the web server (e.g., .htaccess)
Set in HTML using a meta tag
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self'">
Setting in PHP
<?php header("Content-Security-Policy: default-src 'self'; script-src 'self'");
In the .htaccess file
Header add Content-Security-Policy "default-src 'self';"
What Security Headers are there?
High importance:
Medium importance:
Low importance:
Strict-Transport-Security (HSTS)
Importance: HIGH
The header only makes sense if HTTPS is in use, as this header instructs the browser not to accept any requests without HTTPS. All requests made via HTTP only are blocked. This prevents man-in-the-middle attacks and cookie hijacking.
You may be familiar with this situation: you accidentally insert an image path with http:// instead of https://, and the image cannot be loaded because the browser blocks it.
Recommendation:
- max-age ≥ 31536000
- includes includeSubDomains
- optional: preload.
Risks:
- high: if Header is missing and usging HTTPS
- high: if preload is set without conditions
- medium: if max-age is to short
Example:
Strict-Transport-Security: max-age=31536000; includeSubDomains
Content-Security-Policy (CSP)
Importance: HIGH
The Content Security Policy is sent along with the HTTP response header and tells the browser which resources may be loaded. The main purpose of CSP is to prevent cross-site scripting (XSS) and other injections by blocking the execution of unwanted code.
CSP should be set for all requests, not just for the home page.
Recommendation:
- includes frame-ancestors
Risks:
- high: Header is missing
- medium: Includes unsafe-inline / unsafe-eval
The most important information:
- default-src 'self': Defined that resources (e.g., scripts, CSS, images, etc.) may only be loaded from the same domain.
- script-src 'self': Only JavaScript from the same domain is permitted.
- style-src 'self': Allows CSS files to be loaded only from the same domain
- img-src 'self': Only allows images to be loaded from the same domain
- connect-src 'self': Applies to XMLHttpRequests (Ajax), so that requests may only be made to the same domain here.
- object-src 'none': Prevents objects such as Flash files from loading
- frame-ancestors 'none': Prevents the website from being embedded in an <iframe> by other pages, which protects against clickjacking.
Example:
Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self'; object-src 'none'; frame-ancestors 'none';
X-Content-Type-Options
Importance: Medium
Setting this header blocks changes to MIME types. If the header is set to “nosniff,” a request is blocked if the request is a stylesheet but the MIME type is not text/css, or if the request is a script and the MIME type is not a JavaScript MIME type.
The header only applies to requests from “script” and “style.”
Recommendation:
- Define nosniff
Risk:
- Medium: If nosniff is missing
Example:
X-Content-Type-Options: nosniff
Referrer-Policy
Importance: Medium
The Referrer Policy determines what information about the origin of a page (the so-called Referrer) is passed on to other websites. For example, if a user opens a link from your website to another website, the browser can send the original URL along with the referrer. With the right referrer policy, you can determine whether this information is transferred completely, only partially, or not at all – thus protecting sensitive data in URLs from unnecessary disclosure.
Recommendation:
- Referrer-Policy: strict-origin-when-cross-origin
Risk:
- medium: if Header is missing
- medium: if unsafe-url or no-referrer-when-downgrade
Example:
Referrer-Policy: strict-origin-when-cross-origin
X-Frame-Options
Importance: Medium
The X-Frame-Options header is rather outdated and is now replaced by the CSP frame-ancestors specification. Basically, this header can be used to specify whether the page may be displayed in an <iframe>, <frame>, <object> or <embed> or not. With the specification “SAMEORIGIN”, external domains are not allowed to display the page in a frame.
The specification via an HTML meta tag has no effect here, as only the specification via the HTTP header is enforced with the X-Frame-Options header.
Recommendation:
- X-Frame-Options: SAMEORIGIN
Risk:
- Medium: If no X-Frame-Options is set and CSP is missing
Example:
X-Frame-Options: SAMEORIGIN
Permissions-Policy
Importance: Low
This HTTP security header can be used to allow or prohibit browser features.
Recommendation:
- Preferably restrictive, without wildcards (*).
Risk:
- Low: If the header is missing
Example:
Permissions-Policy: geolocation=()
COOP (Cross-Origin-Opener-Policy) / CORP (Cross-Origin-Resource-Policy) / COEP (Cross-Origin-Embedder-Policy)
Importance: Low
These headers can be used to specify that no cross-origin or cross-site requests may be made on the page. This means that you can prevent elements from being loaded from another domain.
Recommendation:
- Set to same-site or same-origin
Risk:
- Low: If Header is missing
Examples:
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Cross-Origin-Embedder-Policy: same-origin
CORS (Cross-Origin Resource Sharing)
Importance: Low
Normally, the Same Origin Policy (SOP) prohibits access from one website to resources on other servers. This means that it is not normally possible to load content from domain1.com to domain2.com using XMLHttpRequest, AJAX, or the JavaScript Fetch API. By setting the CORS header, domains can be specified that are allowed access, or wildcards can be assigned to allow all domains.
Example:
Access-Control-Allow-Origin: domain1.com
Server
Wichtigkeit: Mittel
The disclosure of server information via HTTP Headers should be avoided. Especially if you are using outdated servers and do not perform regular updates, you should never disclose any information about the version.
Risk:
- Low/Medium: Depending on the details provided
Recommendation:
- Leave the header out or empty it
Example (bad example):
Server: Apache/2.4.1 (Unix)
X-Powered-By
Importance: Medium
PHP versions are often displayed here, which can be a risk if these versions are very outdated.
Risk:
- Low/Medium: Depending on the details provided
Recommendation:
- Omit the header or leave it blank
Example (bad example):
X-Powered-By: PHP 8.1.33
Does SYSSY check the security headers?
SYSSY checks the HTTP Security Headers of the home page and lists them with a traffic light rating system. Red if there are problems, orange if they are not optimal, and green if everything is OK. This gives you a constant overview of all your websites and their Security Headers.
![[Translate to English:] Ingrid Stürmer](/fileadmin/_processed_/4/2/csm_pixelstuermer_square_700_fd7c08d6e6.jpg){kind=tracking}
Get support with website management
Want help with website management?
SYSSY works for you in the background!
