List of useful HTTP headers

简介: This page lists useful security-related HTTP headers.

This page lists useful security-related HTTP headers. In most architectures these headers can be set in web server configuration (Apache, IIS), without changing actual application's code. This offers significantly faster and cheaper method for at least partial mitigation of existing issues, and an additional layer of defense for new applications.

Field name Description Example
Strict-Transport-Security Enforces secure (HTTP over SSL/TLS) connections to the server. This reduces impact of bugs in web applications leaking session data through cookies and external links. Strict-Transport-Security: max-age=16070400; includeSubDomains
X-Frame-Options, Frame-Options Clickjacking protection. Values: deny - no rendering within a frame, sameorigin - no rendering if origin mismatch, allow-from: URL - allow rendering frame if loaded from URL X-Frame-Options: deny
X-XSS-Protection This header enables Cross-site scripting (XSS) filter built into most recent web browsers. It's usually enabled by default anyway, so role of this headers is to re-enable for this particular website if it was disabled by the user. X-XSS-Protection: 1; mode=block
X-Content-Type-Options The only defined value, "nosniff", prevents Internet Explorer and Google Chrom from MIME-sniffing a response away from the declared content-type. This also applies to Google Chrome, when downloading extensions. This reduces exposure to drive-by download attacks and sites serving user uploaded content that, by clever naming, could be treated by MSIE as executable or dynamic HTML files. X-Content-Type-Options: nosniff
X-Content-Security-Policy, X-WebKit-CSP Content Security Policy definition. Requires careful tuning and precise definition of the policy. If enabled CSP has significant impact on the way browser renders pages (e.g. inline JavaScript disabled by default and must be explicitly allowed in policy). CSP prevents a wide range of attacks, including Cross-site Scripting and other cross-site injections. X-WebKit-CSP: default-src 'self'


Real life examples

Below examples present selected HTTP headers as set by popular websites to demonstrate that they are indeed being used in production services:

Facebook

As of January 2013 Facebook main page was setting these security related HTTP headers.

Strict-Transport-Security: max-age=60
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-WebKit-CSP: 
X-XSS-Protection: 1; mode=block

Especially interesting is Facebook's use of Content Security Policy (using Google Chrome syntax), whose implementation can be challenging for large sites with heavy usage of JavaScript.

Google+

As of January 2013 Google+ main page was setting these security related HTTP headers:

x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-xss-protection: 1; mode=block

目录
相关文章
|
7月前
|
Web App开发 API 数据格式
Python网络数据抓取(2):HTTP Headers
Python网络数据抓取(2):HTTP Headers
66 0
|
5月前
|
缓存 JSON 算法
http【详解】状态码,方法,接口设计 —— RestfuI API,头部 —— headers,缓存
http【详解】状态码,方法,接口设计 —— RestfuI API,头部 —— headers,缓存
83 0
|
Web App开发 缓存 网络协议
接口测试之Fiddler+HTTP协议headers
一、http header可以分为request headers和response headers,如下图所示 header 二、什么是User-Agent及User-Agent的作用 1.什么是User Agent User Agent中文名为用户代理,简称 UA,它是一个特殊字符串头,使得服务器能够识别客户使用的操作系统及版本、CPU 类型、浏览器及版本、浏览器渲染引擎、浏览器语言、浏览器插件等。
1237 0
|
Web App开发 缓存 安全
[译] 如何使用 HTTP Headers 来保护你的 Web 应用
[译] 如何使用 HTTP Headers 来保护你的 Web 应用,文讲的是[译] 如何使用 HTTP Headers 来保护你的 Web 应用,
1349 0
|
SQL
SQL Injection through HTTP Headers
http://resources.infosecinstitute.com/sql-injection-http-headers/ ...
615 0
|
存储 Web App开发 监控
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html><head><meta http-equiv="Cont
我们以前使用过的对hbase和hdfs进行健康检查,及剩余hdfs容量告警,简单易用 1.针对hadoop2的脚本: #/bin/bashbin=`dirname $0`bin=`cd $bin;pwd`STATE_OK=...
1060 0
|
SQL Web App开发 前端开发
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html><head><meta http-equiv="Cont
在运行一个group by的sql时,抛出以下错误信息: Task with the most failures(4):  -----Task ID:  task_201411191723_723592_m_000004URL:  http://DDS0204.
977 0
|
Web App开发 监控 前端开发
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html><head><meta http-equiv="Cont
Hbase依赖的datanode日志中如果出现如下报错信息:DataXceiverjava.io.EOFException: INFO org.apache.hadoop.hdfs.server.datanode.DataNode: Exception in receiveBlock for block  解决办法:Hbase侧配置的dfs.socket.timeout值过小,与DataNode侧配置的 dfs.socket.timeout的配置不一致,将hbase和datanode的该配置调成大并一致。
803 0
|
Web App开发 存储 前端开发
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html><head><meta http-equiv="Cont
1.HBase依赖于HDFS,HBase按照列族将数据存储在不同的hdfs文件中;MongoDB直接存储在本地磁盘中,MongoDB不分列,整个文档都存储在一个(或者说一组)文件中 (存储) 2.
736 0

热门文章

最新文章