HTTP Security Headers

HTTP Security Headers

  • Home
  • Blog
  • HTTP Security Headers

HTTP Security Headers


Hyper Text Transfer Protocol (HTTP) is a protocol that enables the transmission of hypermedia (HTML) documents through communication between the server and the client. Some exchange of data is required during communication. These data, including the server / client details, the size of the message, the type and the cookies, are indicated by the HTTP headers.

In the example below, we can see some of the headers in HTTP requests and answers. Later on, some security vulnerabilities and HTTP headers to help prevent them will be explained.

Protects against Reflected XSS attacks by detecting and filtering possible XSS payloads. Stored is powerless against XSS. Not supported by most current browsers!

What's the XSS?
Cross Site Scripting (XSS) is a vulnerability that allows an attacker to run arbitrary JavaScript codes on the victim's browser.


0: Disables filtering.

1: Enables filtering.

mode = block: prevents the page from loading in case of XSS detection.

report = : In case of XSS detection, it reports the attack attempt to the specified site. Used only on Chromium-based browsers.

X-XSS-Protection: 1; mode=block; report=

X-Frame Options
Checks if the page is called in an iframe. Protects against click-jacking attacks.

What's the Clickjacking?
Clickjacking is when an attacker adds another website to a site that appears to be harmless within the iframe element, making the user unwanted. For example , the user presses the button he sees on the screen, thinking he's going to win a gift. But if the attacker has placed the bank's money transfer page in the iframe, the victim will actually approve the payment as soon as the button is pressed. The browser adds cookies to the request sent to the bank, and the money is transferred to the attacker.


DENY: It is not allowed to be used in any way within the iframe.

SAMEORIGIN: Only allows use by the same domain.

ALLOW-FROM URL: Allows use only by the specified URL. Not supported in current browsers!

X-Frame-Options: SAMEORIGIN

Allows the browser to match the type of MIME the application has specified. Protects from Mime Type Sniffing attacks.

What's a Sniffing Mime Type?
Mime Type Sniffing is when the browser attempts to determine the type of document by analyzing the content of the document in cases where the Content-Type is not specified. It's not a type of vulnerability, but it can cause attacks like XSS.

For example, if any file containing HTML and JS codes is loaded in an application that does not allow an HTML file to be uploaded but does not specify Content-Type, the browser will accept this file as an HTML file and XSS vulnerabilities will occur.

X-Content-Type-Options: nosniff


HSTS (HTTP Strict Transport Security)

It ensures that communication between the website and the browser takes place via HTTPS only. It provides protection against attacks by the MITM.
What's a man in the middle?
MITM attacks occur when an attacker listens to a network communication. Since packets are not encrypted in HTTP connections, sensitive data may fall into the hands of the attacker.


max-age: Specifies the time, in seconds, that the feature will be kept in the browser memory.

includeSubDomains: Specifies that the property will apply to all subdomains.

preload: Allows the SSL certificate to be added to the browsers default HSTS list. Thus, the first response from which the title will be determined is not expected for secure communication to begin.

Strict-Transport-Security: max-age=10886400; includeSubDomains; preload

Content-Security-Policy (CSP)

CSP sets which sources the website content (JS codes, CSS files, images, etc.) are allowed to be loaded from. XSS protects against attacks such as Clickjacking.

base-uri: Restricts the URLs that can be used in the base element.

default-src: Specifies the default value.

font-src: Specifies the resources to load using @ font-face.

form-action: Restricts URLs that can be used as form action.

frame-ancestors: Specifies the URLs that can load the page within the iframe element .

frame-src: Specifies the URLs that can be loaded with the iframe element inside the page .

img-src: Specifies the sources from which images can be loaded.

media-src: Specifies the sources of media to be loaded using elements such as audio, video.

Specifies the sources of objects to be loaded using elements such as object-src: object, embed, applet.

report-uri: Specifies the website to which the report will be sent when an attempt to violate the specified rules occurs.

script-src: Restricts available resources for JavaScript codes.

style-src: Restricts the resources available for style files.

upgrade-insecure-requests: Converts HTTP requests to HTTPS requests.

self: Allows only to be installed from the same site.

none: It is not allowed to be loaded from any source.

* Allows loading from specified URLs and subdomains.

Only some features are described above. See the full list .

Content-Security-Policy: default-src 'self'


HTTP cookies are small data stored in the user's browser. It is often used to track sessions and remember the user's preferences. There are some parameters that must be added to cookies to ensure the security of these cookies.

HttpOnly: A cookie set as HttpOnly is sent to the server only, it cannot be accessed by JavaScript (document.cookie). Prevents important data such as session_id from being hacked by XSS attack.

Secure: It ensures that cookies are sent to the server only in HTTPS requests. Since the data is sent encrypted in HTTPS requests, the attacker who listens to the network is prevented from getting the cookies.

Set-Cookie: sessionid=xxxxx; HttpOnly; Secure

As a result, taking these small but effective measures can improve the security of our website and protect us and our users from vulnerabilities.