WebTracker.one

 
Login
Site Stats
Tools
Whois
Whois
Email Whois
Fingerprint
Logout
Contact
Lost Password
 
Smiley






JavaScript is disabled by your browser. Many features will not work.












HTTP Response Headers

HTTP response headers can protect your website against attack. Here are the response headers that I consider to be the most important.

The Strict-Transport-Security HTTP response header lets a website tell browsers that it should only be accessed using https for a set period of time, instead of using http.
Recommended setting: Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

See Mozilla Strict-Transport-Security
Note: The max-age in seconds is subjective.
The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a frame, iframe or object. Sites can use this to avoid framejacking attacks, by ensuring that their content is not embedded into other sites.
Recommended setting: X-Frame-Options: SAMEORIGIN

See Mozilla X-Frame-Options
The X-XSS-Protection response header is a feature of Internet Explorer, Chrome and Safari that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks.
Recommended setting: X-XSS-Protection: 1; mode=block

Note: Newer browsers have disabled XSS filtering, making this header irrelevant. It has generally been replaced by Content-Security-Policy, which can break inline scripts. Therefore, I don't use the Content-Security-Policy header. See Mozilla X-XSS-Protection
The X-Content-Type-Options response header is a marker used by the server to indicate that the Multipurpose Internet Mail Extensions (MIME) types advertised in the Content-Type headers should not be changed by the browser.
Recommended setting: X-Content-Type-Options: nosniff

See Mozilla Content-Type

MIME sniffing is a technique used by some web browsers to examine the content of a particular asset. This is done for the purpose of determining an asset's file format. (E.g. is the file type jpg or html?)

MIME type examples: Content-Type: image/jpg Content-Type: text/html
If your web server is a Debian/Ubuntu type, then enter the following command to begin entering these settings:

sudo nano /etc/apache2/apache2.conf

Now enter the following code:

#protect against Framejacking attacks
Header always append X-Frame-Options SAMEORIGIN
#add nosniff
Header always set X-Content-Type-Options 'nosniff'

Afterwards, go to /etc/apache2/sites-available and find your ssl.conf file. Enter the following code:

# Strict Transport Security (HSTS) - Guarantee HTTPS for 1 Year including Sub Domains
Header always set Strict-Transport-Security 'max-age=31536000; includeSubDomains'

You can check the status of your website's HTTP headers by using the WebTracker.one whois search.

A search done for this site returns these results:

HTTP Headers:
HTTP/1.1 200 OK
Date: Mon, 11 Jul 2022 00:36:10 GMT
Server: Apache
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Vary: Accept-Encoding
X-XSS-Protection: 1; mode=block
Accept-CH: sec-ch-ua, ua, sec-ch-ua-platform, ua-platform, sec-ch-ua-mobile, ua-mobile, sec-ch-ua-full-version, ua-full-version, sec-ch-ua-full-version-list, sec-ch-ua-platform-version, ua-platform-version, sec-ch-ua-arch, ua-arch, sec-ch-ua-bitness, ua-bitness, sec-ch-ua-wow64, sec-ch-ua-model, ua-model, sec-ch-lang, lang, sec-ch-save-data, save-data, sec-ch-width, width, sec-ch-viewport-width, viewport-width, sec-ch-viewport-height, viewport-height, sec-ch-dpr, dpr, sec-ch-device-memory, device-memory, sec-ch-rtt, rtt, sec-ch-downlink, downlink, sec-ch-ect, ect, sec-ch-prefers-color-scheme, sec-ch-prefers-reduced-motion, sec-ch-prefers-reduced-transparency, sec-ch-prefers-contrast, sec-ch-forced-colors
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8

     * posted by Robert on Sun, Jul 10, 2022

Return to Weblog



© 2023 WebTracker.one
 
➤