If you develop and deploy web applications then security is on your mind. When I want to understand a web security topic I go to OWASP.org, a community dedicated to enabling the world to create trustworthy web applications.
One of my favorite OWASP wiki pages is the list of useful HTTP headers. This page lists a few HTTP headers which, when added to the HTTP responses of an app, enhances its security practically for free. Let’s examine the list…
These headers can be added without concern that they affect application behavior:
Forces the enabling of cross-site scripting protection in the browser (useful when the protection may have been disabled)
Prevents browsers from treating a response differently than the Content-Type header indicates
These headers may need some consideration before implementing:
Helps avoid *-in-the-middle attacks using forged certificates