Question
What are the safe default values for security-related HTTP headers?
Answer
Some of the common security-related HTTP headers are:
- X-Frame-Options
- X-Content-Type-Options
- Content-Security-Policy
- Referrer-Policy
These HTTP headers can activate browser mechanisms to protect visitors against attacks like cross-site scripting (XSS) or framing.
To set up the aforementioned headers, add the following additional directives to the Domains > example.com > Hosting & DNS > Apache & nginx Settings > Additional directives for HTTP and Domains > example.com > Hosting & DNS > Apache & nginx Settings > Additional directives for HTTPS fields:
The safe defaults for these headers are as follows:
header set X-Frame-Options DENY
header set X-Content-Type-Options nosniff
Header set Content-Security-Policy "frame-ancestors 'none';"
header set Referrer-Policy no-referrer
X-Frame-Options HTTP header lets web browsers know whether website is allowed to be framed or not. Prevention of framing defends visitors against attacks like clickjacking.
X-Content-Type-Options HTTP header lets web browsers know that they must not do 'MIME type sniffing' and always follow the Content-Type as declared by the web server. The only valid value for this HTTP header is nosniff. When enabled, a browser will block requests for stylesheets and scripts when they do not have a corresponding Content-Type (i.e. text/css or a 'JavaScript MIME type' like application/javascript).
Content-Security-Policy (CSP) protects a website against cross-site scripting (XSS) attacks. By whitelisting sources of approved content with CSP, browsers are prevented from loading malicious content of attackers. Use frame-ancestors to prevent the webpage from being loaded into a frame.
Referrer-Policy HTTP header lets browsers know which referrer information, that is sent in the Referrer header, should be part of the website request. The Referrer header contains the address of the previous web page from which the visitor followed a link to the requested page. The information in the Referrer header is mostly used for analytics and logging. However, there can be privacy and security risks. The information could be used e.g. for user tracking and the information could leak to third parties who eavesdrop the connection. These risks can be mitigated with the Referrer-Policy mechanism.