How to Use HTTP response header fields to improve Web security?

How to Use HTTP response header fields to improve Web security?

Various response header fields that can be used in the HTTP response header to improve security when the Web server responds.

X-Frame-Options

The response header is used to control whether the page specified by frame or iframe is displayed in the browser. It is mainly used to prevent Clickjacking attacks.

X-Frame-Options: SAMEORIGIN  

DENY prohibits the display of pages in a frame (even pages on the same website). SAMEORIGIN allows the display of pages from the same website in a frame, prohibit the display of pages FROM other websites ALLOW-FROM origin_uri ALLOW the display of pages FROM the specified uri within the frame (used when the display of pages FROM the specified website is allowed) X-Content-Type-Options

If the MIME type of the file read from a script or stylesheet does not match the specified MIME type, the file cannot be read. It is used to prevent XSS and other cross-site scripting attacks.

X-Frame-Options: nosniff  

X-XSS-Protection

Enables the XSS filter function of the browser to prevent XSS cross-site scripting attacks.

X-XSS-Protection: 1; mode=block  

0 disable XSS filter function 1 enable XSS filter function Content-Security-Policy

It is used to control whether external resources are read when they are untrusted. It is used to prevent XSS cross-site scripting attacks or data injection attacks (however, if improperly set, some script code on the website may be invalid ).

The previous field name is X-Content-Security-Policy.

Content-Security-Policy: default-src 'self'  

Default-src 'self ': allows you to read all content from the same source (domain name + host + port number). default-src 'self' * .example.com: allow reading all content from the specified Domain name and all its subdomains X-Permitted-Cross-Domain-Policies

Used to specify when "crossdomain. xml "file (when you need to read Flash content from a file in another domain name, it is used for the policy file that needs to be set) the alternative policy adopted when placed in the website root directory and other fields.

X-Permitted-Cross-Domain-Policies: master-only  

Master-only allows the use of master policy files (/crossdomain. xml) Strict-Transport-Security

It is used to notify the browser that only the HTTPS protocol can be used to access the website. Used to redirect an HTTP website to an HTTPS website.

Strict-Transport-Security: max-age=31536; includeSubDomains  

Max-age is used to modify the default Validity Period of STS. IncludeSubDomains is used to specify that all sub-domain names use the same policy. CORS-related fields such as Access-Control-Allow-Origin

It is used when XMLHttpRequest is used to obtain resources from other domain names for Cross-Domain Communication.

Access-Control-Allow-Origin: http://www.example.com  Access-Control-Allow-Methods: POST, GET, OPTIONS  Access-Control-Allow-Headers: X-TRICORDER  Access-Control-Max-Age: 1728  

The code above is used to set cross-domain communication processing with the http://www.example.com, allowing the POST, GET, OPTIONS method to be used to add X-TRICORDER fields to the request header sent with a communication timeout of 1,728, 00 seconds.

How to set the HTTP Response Header

When specifying a response header in the Apache server, you must set the following modules to a valid state in the httpd. conf file.

LoadModule headers_module modules/mod_headers.so

Set the HTTP Response Header as follows.

Header set HeaderFieldName "value" // For example, Header set X-XSS-Protection "1; mode = block"