Response headers

One thing that you need to decide when creating a site is what response headers to send when someone requests your page.  There are also a couple of different ways of sending them.

Using .htaccess

<IfModule mod_headers.c>
  Header set Connection keep-alive
</IfModule>

Using PHP code

header("Connection: keep-alive");

So what headers am I setting on my website and why?

X-Frame-Options: deny

This is the best way to guard against Clickjacking attacks, but telling the browser that it should never allow the site to be run within an iframe or frameset, and therefore cannot be embedding within another site.

X-Content-Type-Options: nosniff

This tells the browser not to try and guess the content type of a response and to always use the one being declared by the server. It reduces exposure to drive-by downloads and the risks of user uploaded content that, with clever naming, could be treated as a different content-type, like an executable.

X-Permitted-Cross-Domain-Policies: none

When clients request content hosted on a particular source domain and that content makes requests directed towards a domain other than its own, the remote domain needs to host a cross-domain policy file that grants access to the source domain in order to allow the client to continue the transaction.  I don’t have any content like this, so I’ve set it to “none”.

X-XSS-Protection: 1; mode=block

This tells the browser to protect against Cross-Site Scripting (XSS) attacks, and to block any attempts instead of trying to sanitise them.  This won’t stop all XSS attacks, but it’s a good baseline.

 

Now, if you check out the headers in the Network tab of your browser’s Developer Tools, you’ll see there are also some extras. There are two types of extras…

  1. Automatically created by the server – these are useful!
    • Cache-control
    • Content-Encoding
    • Content-Length
    • Content-Type
    • Date
    • Expires
    • Vary
  2. Automatically added by my web host – these are not useful!
    • Server
    • X-Hostname
    • X-Powered-By

The second group reveal information to an attacker which they may be able to use to assist them, which is not good.  If I figure out how to remove them, I’ll let you know in a future post.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.