In a previous blog, we briefly discussed on HTTP Response Headers. Let's look into more details.
HTTP Strict Transport Security (HSTS) - Allows web servers to interact only with HTTPS connections and It helps against Downgrade attacks and Cookie Hijacking.
Public Key Pinning Extension for HTTP (HPKP) - Allows HTTPS websites to resist impersonation by attackers using misused of fraudulent certificates. It helps against MITM attacks.
X-Frame-Options - Disables iframes on the website which can be used by hackers to mirror legitimate clicks for their own purpose. It helps against Clickjacking attacks.
X-Content-Type-Options - Instruct browsers to set the contest type as instructed by the web server and never detect the type of their own. It helps against MIME sniffing.
Content-Security-Policy (CSP) - It is an improved version of XSS Protection which adds another layers of security. It helps against XSS attacks.
X-Permitted-Cross-Domain-Policies - Allows web browsers to across Multiple domains. We need to save a crossdomain.xml file in webroot directory.
Referrer-Policy - When a user clicks a link on one site, the origin, that takes them to another site the destination, the destination site receives information about the origin the user came from. It is optional but is advised.
Expect-CT - After October 2017 it tells the browser to always expect and enforce Certificate Transparency.
Feature-Policy - It allows developers to enable and disable the use of various browser features and APIs.
0 Comments