headers-security-headers

Improve your Web App’s security with HTTP Headers

Over recent years, new security standards have been set by the W3C, and implemented by browser vendors. The idea was to create a set of HTTP headers that developers could use in order to add a browser-based layer of security for their web applications.

Indeed, many security problems can (or should) be remediated on the client side (e.g. Same Origin Policy), and by improving the security of the platforms it was clear that the overall security level of web applications would increase, with little regard to the actual server-side implementation.

Let’s present a quick overview of these HTTP headers:

X-XSS-Protection

Description: Enables a Cross-Site Scripting (XSS) filter in the browser that blocks the malicious reflected XSS code.

Setting: X-XSS-Protection: 1; mode=block

Supported Browsers: IE 8+, Chrome, Safari (WebKit).

Additional Information: https://blogs.msdn.microsoft.com/ie/2008/07/02/ie8-security-part-iv-the-xss-filter/

X-Content-Type-Options

Read more