Cybersecurity Best Practices
      Back to home
      1. Knowledge Nest
      2. Cybersecurity Tips + Vulnerability Alerts
      3. Cybersecurity Best Practices

      HTTP Security Headers Best Practices

      HTTP Security Headers establish rules for browsers that are connecting to a web page. Maintaining best practices for HTTP Security Headers provides a more secure browsing experience for users and your website.

      Modification to these headers could impact the functionality of your website. Ensure that all changes are tested before moving to production. While many headers have straight forward recommended values, there are several (Content-Security-Policy and Feature-Policy) that are configured specific to your website.

      HTTP Security Header

      Description

      Recommended Value

      Content-Security-Policy

      Restricts loading of resources (e.g. JavaScript) from untrusted sources. This control helps defend against some web based attacks.

      Example value (note this must be customized to what scripts sources will be allowed to run on your website):


      default-src 'self' allowedsite1.com allowedsite2.com allowedsite3.com;


      Information on additional configuration options is available here.

      X-Permitted-Cross-Domain-Policies

      Restricts the loading of resources from other domains different from your website.

      none

      Clear-Site-Data

      Clears browsing data.

      "cache","cookies","storage"

      Cross-Origin-Embedder-Policy

      Prevents some web-based attacks.

      require-corp

      Cross-Origin-Opener-Policy

      Prevents some web-based attacks.

      same-origin

      Cross-Origin-Resource-Policy

      Prevents some web-based attacks.

      same-origin

      Cache-Control

      Prevents information disclosure through browser cache.

      no-store, max-age=0

      Strict-Transport-Security

      Enforce connections over encrypted channels.

      max-age=31536000 ; includeSubDomains

      X-Frame-Options

      Prevents some web-based attacks.

      deny

      Expect-CT

      Improves likelihood of trusted connections.

      Note that this security header was deprecated in June 2021 and is being phased out. The following is an example configuration that could be used (be sure to modify the report-uri):


      Expect-CT: max-age=86400, enforce, report-uri="https://foo.example/report"

      X-Content-Type-Options

      Prevents some web-based attacks.

      nosniff

      Feature-Policy

      Details what features (e.g. webcam / microphone) should be enabled or disabled for a website.

      Note that this security header is in the process of being deprecated and will be split into Permissions-Policy and Document-Policy. Refer to his link for features that are present in your website and explicitly allow them. Alternatively, select features that should not be allowed.


      Feature-Policy: <feature> <allow list origin(s)>

      Referrer-Policy

      Omits referrer information being sent in HTTP requests. This will prevent websites from seeing that users visited them from your website.

      no-referrer

      Sources

      https://owasp.org/www-project-secure-headers/#

      https://content-security-policy.com/

      https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy