Modern browsers have built-in security features that respond to specific headers in HTTP responses.
While these headers are relatively easy to enable and use, they provide significant security by instructing browsers to adhere to certain security rules. In this post, we’ll detail ways to use security headers to protect yourself and your users.
Use headers to improve security
Over the years, browsers have implemented headers suited for various tasks including defense against attacks. Here are some of the headers you can set from your application to help protect sensitive data and keep your websites secure..
Prevent access to sensitive information with headers
You can use security headers to prevent attackers from gaining access to sensitive or confidential information. One powerful attack, SSL stripping, was first presented by Moxie Marlinspike at Black Hat 2009.
SSL Stripping is a type of man-in-the-middle attack in which HTTPS requests are stripped back down to HTTP so that the attacker can see and capture sensitive information such as passwords and credit card numbers. You can block this attack using the HTTP Strict Transport Security (HSTS) header.
Protect against clickjacking
Another attack uses iframes in a form of clickjacking. By embedding the content of a web page into another website, a user’s click can be hijacked. The X-Frame-Options header is just one of several ways to defend against clickjacking.
Cross-site scripting defense
One of the most famous types of injection attack is cross-site scripting (XSS), in which malicious scripts are added to trusted websites. There are two important headers to know about for defense against XSS attacks:
- The X-XSS-Protection header instructs the browser to turn on its built-in protection against XSS
- The Content-Security-Policy (CSP) header prevents and report XSS attacks by determining domains from which a page is allowed to load content.
Defend against information leakage
There are a couple ways to prevent accidental information leakage with headers:
- The referrer-policy header prevents leakage of sensitive information through the referrer header to third-party websites by controlling what information is sent while making HTTP requests.
- The Cache-Control header tells browsers what data to cache and for how long. This helps both performance and security by allowing the server to instruct the browser to cache public, private, and sensitive information in different ways. For more information, see Mozilla’s Cache-Control page.
Specify content types and behavior
If you want to ensure expected behavior and force the browser to adhere to specified content types, there are two more headers to know about:
- The Feature Policy header is fairly new and instructs the browser to selectively enable or disable various browser features and APIs for use on the website. The aim is to lock down applications to prevent execution of content that might introduce unwanted or unexpected behaviors.
- The X-Content-Type-Options header restricts the browser from trying to guess the content type of the response, forcing the browser to adhere to what is specified in the Content-Type header. This helps prevent content sniffing, which can transform non-executable MIME types into executable MIME types.
Adding headers to your server response
You can add these custom headers to your server response to help keep your websites secure. The configuration procedure is different for different servers. For example:
- On Apache, use header set in the .htaccess file
- Compile Nginx with NginxHttpHeadersModule and use add add_header in nginx.conf
Better security through headers
These are just a few ways to easily improve security on your web pages by using headers. There is much more to explore, but these tips are a good start to protect yourself and your users.
For more information about Twilio’s recommended settings for these headers, see https://www.twilio.com/docs/usage/security/use-headers-to-improve-security. Also read our overview on responsible Header usage.
Yash is a Senior Security Engineer at Twilio, previously at Box. He has worked in security for over half a decade in a variety of roles – everything from consulting to enterprise product security teams. He takes pleasure in containerizing and automating all things, sharing knowledge at conferences, and hiking. Yash can be reached at ykosaraju [at] twilio.com.