HTTP Security Headers

In this post I’ll discuss the HTTP headers we can use to improve a web site’s security and mitigate certain attack types. I’ll use this blag as my example. First up we’ll look at X-Frame-Options. This header helps prevent clickjacking by indicating to a browser that it shouldn’t render the page in a frame (or an iframe or object). We’ll use the strictest setting: DENY. Here’s how to set it in .htaccess:

Next we’ll add two Internet Explorer-only headers: X-XSS-Protection and X-Content-Type-Options. X-XSS-Protection helps mitigate Cross-site scripting (XSS) attacks. We’ll use the strictest setting again here: “1; block”. This … Continue reading HTTP Security Headers