One thing that you need to decide when creating a site is what response headers to send when someone requests your page. There are also a couple of different ways of sending them.
<IfModule mod_headers.c> Header set Connection keep-alive </IfModule>
Using PHP code
So what headers am I setting on my website and why?
This is the best way to guard against Clickjacking attacks, but telling the browser that it should never allow the site to be run within an iframe or frameset, and therefore cannot be embedding within another site.
This tells the browser not to try and guess the content type of a response and to always use the one being declared by the server. It reduces exposure to drive-by downloads and the risks of user uploaded content that, with clever naming, could be treated as a different content-type, like an executable.
When clients request content hosted on a particular source domain and that content makes requests directed towards a domain other than its own, the remote domain needs to host a cross-domain policy file that grants access to the source domain in order to allow the client to continue the transaction. I don’t have any content like this, so I’ve set it to “none”.
X-XSS-Protection: 1; mode=block
This tells the browser to protect against Cross-Site Scripting (XSS) attacks, and to block any attempts instead of trying to sanitise them. This won’t stop all XSS attacks, but it’s a good baseline.
Now, if you check out the headers in the Network tab of your browser’s Developer Tools, you’ll see there are also some extras. There are two types of extras…
- Automatically created by the server – these are useful!
- Automatically added by my web host – these are not useful!
The second group reveal information to an attacker which they may be able to use to assist them, which is not good. If I figure out how to remove them, I’ll let you know in a future post.