Snippet #7: OWASP Useful HTTP Headers

If you develop and deploy web applications then security is on your mind.  When I want to understand a web security topic I go to OWASP.org, a community dedicated to enabling the world to create trustworthy web applications.

One of my favorite OWASP wiki pages is the list of useful HTTP headers. This page lists a few HTTP headers which, when added to the HTTP responses of an app, enhances its security practically for free. Let’s examine the list…

These headers can be added without concern that they affect application behavior:

• X-XSS-Protection
  • Forces the enabling of cross-site scripting protection in the browser (useful when the protection may have been disabled)
• X-Content-Type-Options
  • Prevents browsers from treating a response differently than the Content-Type header indicates

These headers may need some consideration before implementing:

• Public-Key-Pins
  • Helps avoid *-in-the-middle attacks using forged certificates
• Strict-Transport-Security
  • Enforces the used of HTTPS in your application, covered in some depth by Andrew Jenkins
• X-Frame-Options / Frame-Options
  • Used to avoid "clickjacking", but can break an application; usually you want this
• Content-Security-Policy / X-Content-Security-Policy / X-Webkit-CSP
  • Provides a policy for how the browser renders an app, aimed at avoiding XSS
• Content-Security-Policy-Report-Only
  • Similar to CSP above, but only reports, no enforcement

Here is a script that incorporates three of the above headers, which are generally safe to add to any application:

And that's it: About 20 lines of code to add 100 more bytes to the total HTTP response, and enhanced enhanced application security!  Go get your own FREE license and try it today!