Soccer player making a header, symbolizing HTTP website security headers.


Website Security: HTTP Security Headers – Tech Tip for May 4, 2021

We often talk about securing our passwords, using multi-factor authentication (MFA) and keeping our laptops and email protected against malware. However, did you know that your website can be a target for security issues as well? This month, our Tech Tips are focused on a few important things that you (or your website provider) should be doing to secure your website: website security headers, website 2-factor authentication, malware scans and web application firewall (WAF) protection. Our first topic is security headers.

What are Website Security Headers?

HTTP Security headers comprise a website’s security policy on a code level. Each header is basically a directive, or set of instructions, designed to keep the website secure. Because security headers are often overlooked by developers, it is very important to check the status of the headers on your site. Ensuring your website security headers are fully implemented and set-up according to best practices will help protect your site from malicious attacks.

There are the 7 main types of security headers:

  1. HTTP Strict Transport Security (HSTS) – Protects against Man-in-the-Middle and cookie hijacking attacks by converting all HTTP requests to the HTTPS secure domain before loading the site.
  2. Content Security Policy (CSP) – Allows third-party content (fonts, social media, Google Analytics code, etc.) to be loaded on a site. Protects against data-injection attacks, which can result in the distribution of malware and data theft.
  3. X-Frame-Option – Prevents click-jacking attacks due to corrupted embedded items (iframes, embed frames, YouTube videos, etc.). Once implemented, this header prevents others from embedding content on your site.
  4. Referrer-Policy – Controls how much referrer information should be included with outgoing traffic requests (outgoing traffic).
  5. X-Content-Type-Options – Prevents a malicious resource from being injected and loaded on the site in place of an innocent resource, like an image.
  6. Cross-Site Scripting (XSS) Protection – Prevents malicious scripts from being injected into and loaded on the website. Also prevents confidential information from being accessed from a cookie.
  7. Permissions-Policy (formerly known as Feature-Policy) – This new security header enables, disables and modifies features allowed for APIs and allows and denies certain browser features.

How Do You Harden The Security of Your Website Headers?

The configuration of security headers can be complex, and is best performed by a webmaster or developer with expertise in this area. Often missing or incomplete headers will be identified during a website security audit. The method of implementing and configuring security headers varies based on a website’s server application and whether it is using a dedicated or shared server. To check on the health of your website security headers, enter your website URL here.

To update your website’s security headers or conduct a full website security audit, contact TechWise Group.