This article describes the various response header fields that you can use in the HTTP response header in order to improve security when the Web server responds. Because some browsers may not support certain fields or options, please confirm the client environment when using these fields.
X-frame-options
The response header is used to control whether the page specified in the frame or IFRAME is displayed in the browser, primarily to prevent clickjacking (click Hijacking) attacks.
X-frame-options:sameorigin
- DENY Suppresses the display of pages within a frame (even pages within the same site)
- sameorigin allows pages from the same Web site to be displayed within a frame, preventing pages from being displayed from other sites
- allow-from Origin_uri allows you to display a page from a specified URI within a frame (used when a page from a specified Web site is allowed to be displayed)
X-content-type-options
If the MIME type of the file read from script or stylesheet does not match the specified MIME type, the file is not allowed to be read. Used to prevent cross-site scripting attacks such as XSS.
X-frame-options:nosniff
X-xss-protection
A browser-enabled XSS filtering feature to prevent XSS cross-site scripting attacks.
X-xss-protection:1; Mode=block
- 0 Disabling the XSS filtering feature
- 1 enable the XSS filtering feature
Content-security-policy
Used to control not being read when an external resource is not trustworthy. Used to prevent XSS cross-site scripting attacks or data injection attacks (however, if set incorrectly, some scripting code in the site may fail).
The previous field name is X-content-security-policy
Content-security-policy:default-src ' self '
- default-src ' self ' allows to read all content from the same source (domain + host + port number)
- default-src ' self ' *.example.com allows you to read all content from the specified domain name and all of its subdomains
X-permitted-cross-domain-policies
Used to specify an alternative policy to be taken when a "crossdomain.xml" file (a policy file that is used to make the necessary settings when the Flash content is read from a file in another domain name) cannot be placed in a site root directory.
X-permitted-cross-domain-policies:master-only
- master-only only the master policy file (/crossdomain.xml) is allowed
Strict-transport-security
Used to inform the browser that the Web site can only be accessed using the HTTPS protocol. Used to redirect an HTTP Web site to an HTTPS Web site.
strict-transport-security:max-age=31536000; Includesubdomains
- The max-age is used to modify the default validity time of the Sts.
- The includesubdomains is used to specify that all subdomains also use this policy.
Cors-related fields such as Access-control-allow-origin
used when using XMLHttpRequest to obtain resources from other domain names for cross-domain communication.
Access-control-allow-origin:http://www.example.comaccess-control-allow-methods:post, GET, optionsaccess-control-allow-headers:x-tricorderaccess-control-max-age:1728000
The above code is used to set the cross-domain communication with "http://www.example.com", allowing the use of post, GET, Options method, add X-tricorder field in the sent request header, communication time-out time is 1,728, 00 seconds.
X-download-options
Used to place direct open user download files.
X-download-options:noopen
- Noopen To specify that users of IE 8 or above do not open files and save files directly. The open option is not displayed in the Download dialog box.
Set-cookie
Used to set cookies.
Set-cookie:name=value; Secure HttpOnly
- secure only sends cookies when HTTP communication is in progress.
- httponly Specifies that cookie values cannot be accessed from JavaScript script code.
- Although the Path property is used to specify the Cooki send path, it cannot be taken as a security measure.
- The domain attribute has a post-consistent attribute, and it is best not to use this property for security reasons unless explicitly specified to send cookies to multiple domains.
Cache-control
Specifies how the browser is cached, separated by commas.
Cache-control:no-cache, No-store, must-revalidate
- No-cache Specifies that the server side does not cache data.
- No-store Specifies that data cannot be saved in the local cache.
- must-revalidate Specifies that the server side can cache data, but the data must be acknowledged.
pragma
The response header field for backwards compatibility with http/1.0 is used only in the client request header. Used in conjunction with "Cache-control:no-cache".
Pragma:no-cache
- The no-cache client requires that all intermediate servers cannot cache data.
Expires
Specifies the valid time for the data. When you do not want to cache data, you can specify the field value as the same value as the Date field value or specify the field value as "1".
Expires:-1
Content-type
Specifies the media type (mediatype) of the object within the entity. Specifies the text encoding format in the CharSet keyword.
Content-type:text/html;charset=utf-8
How to set HTTP response headers
When specifying a response header in the Apache server, the following modules will need to be set to a valid state in the httpd.conf file.
- LoadModule Headers_module modules/mod_headers.so
Then use the following method to set the HTTP response header.
Header Set Headerfieldname "value"//For example header set X-xss-protection "1; Mode=block "
Various response header fields that improve security and can be used in the HTTP response header