Some security-related HTTP response headers

HTTP Strict Transport Security, referred to as hsts. It allows an HTTPS web site that requires the browser to always access it via HTTPS. At this stage, this response header is supported in addition to the Chrome browser, firefox4+, and the noscript extension of Firefox.

We know that HTTPS has better security relative to HTTP, and many HTTPS websites can be accessed via HTTP. A developer's mistake or the user's active input address can lead to a user accessing the site in HTTP, which reduces security. In general, we will address this issue by sending a 301/302 redirect via Web server. Now with the HSTs, you can let the browser help you do this jump, save an HTTP request. In addition, browser local substitution guarantees that only HTTPS requests will be sent to avoid hijacking.

To use HSTs, simply add the following line to your HTTPS site's response header:

strict-transport-security:max-age=16070400; Includesubdomains

The includesubdomains is optional and is used to specify whether to work with subdomains. Browsers that support HSTs encounter this response header, will add the current Web site to the HSTs list, and then in the max-age specified number of seconds, all requests to the current site will be redirected to HTTPS. Redirects to the https://address, even if the user actively enters http://or does not enter the protocol portion.

Chrome has a built-in hsts list that includes Google, Paypal, Twitter, Linode and more. We can also enter the chrome://net-internals/#hsts in Chrome and go to the HSTs admin interface. On this page, you can add/delete/query HSTs records. For example, you want to always use HTTPS to access a URL, through the "add Domain" plus go. Check out all the HSTs lists built into chrome, or want to add your own website to this list, click here .

X-frame-options Sameorigin; Allow the same-origin domain name to be embedded in the IFRAME

Content-security-policy "default-src ' self '; Script-src ' self ' unsafe-inline ' unsafe-eval ' https://a.disquscdn.com; Img-src ' self ' data:https://www.google-analytics.com; Style-src ' self ' unsafe-inline '; Frame-src https://disqus.com "; Specifies the resources that can be loaded, primarily to prevent CSS attacks

X-content-type-options:nosniff There are various types of resources on the Internet, usually browsers will distinguish their types based on the Content-type field of the response header. For example: "Text/html" represents an HTML document, "Image/png" is a PNG image, and "Text/css" is a CSS style document. However, the content-type of some resources are either wrong or undefined. At this point, some browsers enable mime-sniffing to guess the type of the resource, parse the content, and execute it. For example, even if we specify Content-type as "Text/plain" for an HTML document, the document will still be parsed as HTML in ie8-. Using this feature of the browser, an attacker could even make a request that should have been parsed as a picture parsed into JavaScript. The browser's type-guessing behavior can be disabled by the above response header.

X-xss-protection:1; Mode=block as the name implies, this response head is used to protect against XSS. I saw this early in the article introducing IE8, which is now supported by mainstream browsers, and the default is to turn on XSS protection, which can be turned off with this header. It has several configurations:

• 0: Disable XSS protection;
• 1: Enable XSS protection;
• 1; Mode=block: Enable XSS protection and, when checking for XSS attacks, stop rendering the page (for example, in IE8, the entire page is replaced by a # when the attack is checked);

The browser provides the XSS protection mechanism is not perfect, but can still improve the attack difficulty, in short, there is no special reason, do not close it.

Server_tokens off; Hide Server version number

Some security-related HTTP response headers