What are Security Headers?

Process

P3 Staff | Sep 19, 2024


White outlines of question marks on a black background with the letters Q+A in large font.

When you visit a website, each page sends a response to your browser consisting of two main parts: the head and the body. The body contains the content you see on the page, while the head includes rules called HTTP headers. These headers guide your browser on how to handle the page’s content.

Security headers are like the bouncers of your website, ensuring that only safe and approved actions are allowed. Let’s explore some common security headers and how we can help implement them to keep your website secure.

X-Frame-Options: Keeping the Right Content in View

Think of iFrames as windows that let you display content from other websites on your own site. You might use them to show a sales tool or vendor information. However, iFrames can also be misused to display harmful content. The X-Frame-Options header helps prevent this by restricting what can be shown in an iFrame. There are two main settings:

  • DENY: Blocks all iFrames from loading on your site.
  • SAMEORIGIN: Allows only iFrames from your own domain to load.

For some websites, a more advanced option called Content Security Policy (CSP) frame-ancestors might be more appropriate, which we'll discuss later. With X-Frame-Options in place, you can confidently say,

Strict-Transport-Security (HSTS): Guarding Your Website’s Gateway

Have you ever seen a browser warning about an insecure webpage? This usually happens with HTTP pages, which don't encrypt data. HTTPS pages, however, do encrypt data, making them secure. The Strict-Transport-Security (HSTS) header forces all connections to use HTTPS, even for subdomains. This ensures your entire site is only accessible through a secure connection.

Imagine you’re running an online store—without HSTS, your customers’ credit card details could be at risk. That’s a scenario no business owner wants to face. A site health scan can reveal any remaining insecure HTTP pages that may drive users away. Get in touch, and we can help!

Think of HSTS as your website’s gatekeeper, standing firm and declaring to insecure connections, 

A still frame of Gandalf from the Lord of the Rings movies.
“You shall not pass!” - (Gandalf, Lord of the Rings)

X-Content-Type-Options: Ensuring Files Are What They Claim

Browsers use MIME types to determine how to handle different files. Sometimes, browsers guess the file type if it's not clear, which can be risky. For example, a malicious file could be disguised as something harmless.

The X-Content-Type-Options header, when set to nosniff, stops the browser from guessing, ensuring files are handled safely based on their declared type and keeps a site more secure from malicious intent.

Referrer-Policy: Protecting Sensitive Information

Whenever you click a link, information about the previous page (the referrer) is often sent along with the request. This can sometimes include sensitive information. The Referrer-Policy header allows you to control how much of this referrer information is shared. Here are some options:

  • no-referrer: No referrer information is sent.
  • no-referrer-when-downgrade: Sends referrer information only when moving to a page with the same or higher security level.
  • origin: Sends only the origin (e.g., https://example.com).
  • origin-when-cross-origin: Sends full referrer information for same-origin requests, but only the origin for cross-origin requests.
  • same-origin: Sends full referrer information for same-origin requests only.
  • strict-origin: Sends the origin only when moving to a page with the same security level.
  • strict-origin-when-cross-origin: Sends full referrer information for same-origin requests and only the origin for secure cross-origin requests.
  • unsafe-url: Always sends full referrer information, regardless of security.

Content-Security-Policy (CSP): Defining What’s Allowed on Your Site

The Content-Security-Policy (CSP) header adds an extra layer of security by controlling precisely what types of content can be loaded and executed on your site.

For example, you can:

  • Allow JavaScript files only from your own domain.
  • Block inline scripts.
  • Prevent iFrames from loading content from untrusted sources.

CSPs are detailed and require careful setup from a professional developer. They protect against threats like cross-site scripting (XSS) and clickjacking. With CSP in place, you have the power to decide what’s allowed on your site and what isn’t.

You'll often find CSP headers on larger sites with sensitive information, such as government, education, or large commercial sites because,

Peter Parker holding up his Spider-Man suit, representing the responsibility and power that comes with implementing strong Content-Security-Policy.
“With great security protocols comes great responsibility.” - (Uncle Ben, Spiderman)

For more information on setting up CSP, we recommend checking out these resources:

Does My Website Need Security Headers?

In short, you probably do need security headers! But if you’re reading this and fretting because you know these are not in place for your site, know you’re not alone. In fact, the vast majority of sites scanned on securityheaders.com (over 132 million at the time of this article) received an F grade, compared to far fewer receiving an A or rare A+ rating.

The web moves fast. Sites built many years ago may not be up to date on these security headers or not have them in place at all. Without regular web maintenance or consultations from a professional development partner like P3, you could be left vulnerable to bots or hackers who have nothing better to do than look for backdoors to your site. One of our clients came to us with concerns about their site's security. After implementing key security headers, they saw a significant drop in security alerts and an increase in user trust.

How Can I Get Security Headers on My Site?

We recommend consulting with a professional web development partner to discuss the specific needs and header rules that your website should have in place to stay protected. Think of it as adding layers of armor to your site, ensuring that it stands strong against potential threats. We’re a tight-knit team with decades of experience developing and maintaining websites, and we may just be able to help!

If you’d like to learn more or chat with us, feel free to get in touch with us. Let’s chat about how we can fortify your website’s defenses together.


P3 Staff
P3 Staff,

It takes a village.