Security headers are directives set on the web server and used by web applications to configure security settings in web browsers. Based on these directives, browsers can make it harder to exploit client-side vulnerabilities such as Cross-Site Scripting or Clickjacking. Some examples include:
- Strict Transport Security informs browsers that the site should only be accessed using HTTPS, and that any future attempts to access it using HTTP should automatically be converted to HTTPS.
- Content Security Policy prevents cross-site scripting (XSS) attacks by limiting the number of domains that scripts can run from.
- X-Frame-Options prevents your content from being fraudulently embedded in another site (also known as click-jacking)
- Referrer-policy limits the amount of information being sent by the server
- Server limits the amount of information about the web server being shared with a browser.
- Permission Policy allows the server to configure certain permissions in the browser (ie. enable Geolocation or disable Microphone) without user input.
These settings are typically configured on the web server (Apache, nginx or OpenLiteSpeed).
Description of change
- Access web server via SSH
- Configure web server software (Apache, nginx or OpenLiteSpeed)
- Test website functionality, especially relating to integration of other systems
- Approximate duration: 1 hour