Some security-related HTTP response headers

Source: Internet
Author: User
Tags http strict transport security

modern browsers provide a number of security-related response headers, which generally require only modification of the server configuration, without the need to modify the program code, and at a low cost. This article describes some of these response headers: 1. strict-transport-security

HTTP Strict Transport Security, referred to as hsts. It allows an HTTPS web site that requires the browser to always access it via HTTPS. At this stage, this response header is supported in addition to the Chrome browser, firefox4+, and the noscript extension of Firefox.

We know that HTTPS has better security relative to HTTP, and many HTTPS websites can be accessed via HTTP. A developer's mistake or the user's active input address can lead to a user accessing the site in HTTP, which reduces security. In general, we will address this issue by sending a 301/302 redirect via Web server. Now with the HSTs, you can let the browser help you do this jump, save an HTTP request.

To use HSTs, simply add the following line to your HTTPS site's response header:


strict-transport-security:max-age=16070400; The Includesubdomains includesubdomains is optional and is used to specify whether to work with subdomains. Browsers that support HSTs encounter this response header, will add the current Web site to the HSTs list, and then in the max-age specified number of seconds, all requests to the current site will be redirected to HTTPS. Redirects to the https://address, even if the user actively enters http://or does not enter the protocol portion. Chrome has a built-in hsts list that includes Google, Paypal, Twitter, Linode and more. We can also enter the chrome://net-internals/#hsts in Chrome and go to the HSTs admin interface. On this page, you can add/delete/query HSTs records. For example, you want to always use HTTPS to access a URL, through the "add Domain" plus go.
to see a list of all the hsts that are built into chrome, or if you want to add your own website to this list,Point here. 2. X-frame-options

X-frame-options, has become a positive frame-options, but at this stage is best to use X-ray. chrome4+, firefox3.6.9+, ie8+ are supported, detailed browser support situation see here. Use the following methods:


X-frame-options:sameorigin This response header supports three configurations:
    • DENY: Not allowed to be embedded in any page;
    • Sameorigin: Not allowed to be embedded in a page other than this domain;
    • Allow-from URI: Does not allow a page to be embedded outside the specified domain name (chrome is not supported at this stage);

If a page is embedded in a page that is not allowed in <iframe> or <frame>, ie displays a message similar to "This content cannot be displayed in the frame," and Chrome and Firefox will print information in the console. Because the embedded page does not load, this reduces the occurrence of click Hijacking (Clickjacking).

3. X-xss-protection

As the name implies, this response head is used to protect against XSS. I saw this early in the article introducing IE8, which is now supported by mainstream browsers, and the default is to turn on XSS protection, which can be turned off with this header. It has several configurations:

    • 0: Disable XSS protection;
    • 1: Enable XSS protection;
    • 1; Mode=block: Enable XSS protection and, when checking for XSS attacks, stop rendering the page (for example, in IE8, the entire page is replaced by a # when the attack is checked);

The browser provides the XSS protection mechanism is not perfect, but can still improve the attack difficulty, in short, there is no special reason, do not close it.

4. X-content-type-options

There are various types of resources on the Internet, and browsers usually distinguish their types based on the Content-type field of the response header. For example: "Text/html" represents an HTML document, "Image/png" is a PNG image, and "Text/css" is a CSS style document. However, the content-type of some resources are either wrong or undefined. At this point, some browsers enable mime-sniffing to guess the type of the resource, parse the content, and execute it.

For example, even if we specify Content-type as "Text/plain" for an HTML document, the document will still be parsed as HTML in ie8-. Using this feature of the browser, an attacker could even make a request that should have been parsed as a picture parsed into JavaScript. You can disable the browser's type guessing behavior by following this response header:
X-content-type-options:nosniff
The value of this response header can only be nosniff. In addition, it is also used by chrome for extended downloads, see here


5. X-content-security-policy

This response header is primarily used to define what resources the page can load and reduce the occurrence of XSS. Previously introduced separately, please click Continue to browse: Content Security Policy Introduction.

How do people use

Finally, let's take a look at a few practical cases:

Google + uses the following response headers, which are mentioned in this article:



  x-content-type-options:nosniff  X-frame-options:sameorigin X-xss-protection:1; Mode=block Twitter uses these:     strict-transport-security:max-age=631138519  X-frame-options:sameorigin X-xss-protection:1; Mode=block PayPal:     X-frame-options:sameorigin strict-transport-security:max-age=14400 Facebook uses these (a detailed CSP is configured, and XSS protection is turned off):   strict-transport-security:max-age=60 X-content-type-options:nosniff X-frame-options:deny x-xss-protection:0 content-security-policy:default-src *;script-src https://*.facebook.com http://*.facebook.com https://*.fbcdn.net http://*.fbcdn.net *.facebook.net *.google-analytics.com *. Virtualearth.net *.google.com 127.0.0.1:* *.spotilocal.com:* CHROME-EXTENSION://LIFBCIBLLHKDHOAFPJFNLHFPFGNPLDFL ' Unsafe-inline ' unsafe-eval ' https://*.akamaihd.net http://*.akamaihd.net;style-src * ' unsafe-inline '; connect-src https://*.facebook.com http://*.facebook.com https://*.fbcdn.net http://*.fbcdn.net *.facebook.net *.spotilocal.com:* https://*.akamaihd.net ws://*.facebook.com:* http://*.akamaihd.net https://fb.scanandcleanlocal.com:*;
This article link: http://www.imququ.com/post/web-security-and-response-header.html

Some security-related HTTP response headers

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.