How to Use HTTP response header fields to improve Web security?
Various response header fields that can be used in the HTTP response header to improve security when the Web server responds.
X-Frame-Options
The response header is used to control whether the page specified by frame or iframe is displayed in the browser. It is mainly used to prevent Clickjacking attacks.
X-Frame-Options: SAMEORIGIN
DENY prohibits the display of pages in a frame (even pages on the same website). SAMEORIGIN allows the display of pages from the same website in a frame, prohibit the display of pages FROM other websites ALLOW-FROM origin_uri ALLOW the display of pages FROM the specified uri within the frame (used when the display of pages FROM the specified website is allowed) X-Content-Type-Options
If the MIME type of the file read from a script or stylesheet does not match the specified MIME type, the file cannot be read. It is used to prevent XSS and other cross-site scripting attacks.
X-Frame-Options: nosniff
X-XSS-Protection
Enables the XSS filter function of the browser to prevent XSS cross-site scripting attacks.
X-XSS-Protection: 1; mode=block
0 disable XSS filter function 1 enable XSS filter function Content-Security-Policy
It is used to control whether external resources are read when they are untrusted. It is used to prevent XSS cross-site scripting attacks or data injection attacks (however, if improperly set, some script code on the website may be invalid ).
The previous field name is X-Content-Security-Policy.
Content-Security-Policy: default-src 'self'
Default-src 'self ': allows you to read all content from the same source (domain name + host + port number). default-src 'self' * .example.com: allow reading all content from the specified Domain name and all its subdomains X-Permitted-Cross-Domain-Policies
Used to specify when "crossdomain. xml "file (when you need to read Flash content from a file in another domain name, it is used for the policy file that needs to be set) the alternative policy adopted when placed in the website root directory and other fields.
X-Permitted-Cross-Domain-Policies: master-only
Master-only allows the use of master policy files (/crossdomain. xml) Strict-Transport-Security
It is used to notify the browser that only the HTTPS protocol can be used to access the website. Used to redirect an HTTP website to an HTTPS website.
Strict-Transport-Security: max-age=31536; includeSubDomains
Max-age is used to modify the default Validity Period of STS. IncludeSubDomains is used to specify that all sub-domain names use the same policy. CORS-related fields such as Access-Control-Allow-Origin
It is used when XMLHttpRequest is used to obtain resources from other domain names for Cross-Domain Communication.
Access-Control-Allow-Origin: http://www.example.com Access-Control-Allow-Methods: POST, GET, OPTIONS Access-Control-Allow-Headers: X-TRICORDER Access-Control-Max-Age: 1728
The code above is used to set cross-domain communication processing with the http://www.example.com, allowing the POST, GET, OPTIONS method to be used to add X-TRICORDER fields to the request header sent with a communication timeout of 1,728, 00 seconds.
How to set the HTTP Response Header
When specifying a response header in the Apache server, you must set the following modules to a valid state in the httpd. conf file.
LoadModule headers_module modules/mod_headers.so
Set the HTTP Response Header as follows.
Header set HeaderFieldName "value" // For example, Header set X-XSS-Protection "1; mode = block"