How to Use HTTP response header fields to improve Web security?

Source: Internet
Author: User

How to Use HTTP response header fields to improve Web security?

Various response header fields that can be used in the HTTP response header to improve security when the Web server responds.

X-Frame-Options

The response header is used to control whether the page specified by frame or iframe is displayed in the browser. It is mainly used to prevent Clickjacking attacks.

X-Frame-Options: SAMEORIGIN  
DENY prohibits the display of pages in a frame (even pages on the same website). SAMEORIGIN allows the display of pages from the same website in a frame, prohibit the display of pages FROM other websites ALLOW-FROM origin_uri ALLOW the display of pages FROM the specified uri within the frame (used when the display of pages FROM the specified website is allowed) X-Content-Type-Options

If the MIME type of the file read from a script or stylesheet does not match the specified MIME type, the file cannot be read. It is used to prevent XSS and other cross-site scripting attacks.

X-Frame-Options: nosniff  
X-XSS-Protection

Enables the XSS filter function of the browser to prevent XSS cross-site scripting attacks.

X-XSS-Protection: 1; mode=block  
0 disable XSS filter function 1 enable XSS filter function Content-Security-Policy

It is used to control whether external resources are read when they are untrusted. It is used to prevent XSS cross-site scripting attacks or data injection attacks (however, if improperly set, some script code on the website may be invalid ).

The previous field name is X-Content-Security-Policy.

Content-Security-Policy: default-src 'self'  
Default-src 'self ': allows you to read all content from the same source (domain name + host + port number). default-src 'self' * .example.com: allow reading all content from the specified Domain name and all its subdomains X-Permitted-Cross-Domain-Policies

Used to specify when "crossdomain. xml "file (when you need to read Flash content from a file in another domain name, it is used for the policy file that needs to be set) the alternative policy adopted when placed in the website root directory and other fields.

X-Permitted-Cross-Domain-Policies: master-only  
Master-only allows the use of master policy files (/crossdomain. xml) Strict-Transport-Security

It is used to notify the browser that only the HTTPS protocol can be used to access the website. Used to redirect an HTTP website to an HTTPS website.

Strict-Transport-Security: max-age=31536; includeSubDomains  
Max-age is used to modify the default Validity Period of STS. IncludeSubDomains is used to specify that all sub-domain names use the same policy. CORS-related fields such as Access-Control-Allow-Origin

It is used when XMLHttpRequest is used to obtain resources from other domain names for Cross-Domain Communication.

Access-Control-Allow-Origin: http://www.example.com  Access-Control-Allow-Methods: POST, GET, OPTIONS  Access-Control-Allow-Headers: X-TRICORDER  Access-Control-Max-Age: 1728  

The code above is used to set cross-domain communication processing with the http://www.example.com, allowing the POST, GET, OPTIONS method to be used to add X-TRICORDER fields to the request header sent with a communication timeout of 1,728, 00 seconds.

How to set the HTTP Response Header

When specifying a response header in the Apache server, you must set the following modules to a valid state in the httpd. conf file.

LoadModule headers_module modules/mod_headers.so

Set the HTTP Response Header as follows.

Header set HeaderFieldName "value" // For example, Header set X-XSS-Protection "1; mode = block"

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.