Traditionally, web security has focused on the server side: protecting the application itself from attack. That work is necessary, but it often leaves the client side under-specified. Client-side attacks move the exposure point into the user's browser, where the business impact can be serious.
Magecart attacks are a clear example. Attackers inject skimming scripts into websites to steal sensitive customer information, such as credit card details, directly from the user's browser. Session hijacking and Cross-Site Scripting (XSS) attacks also exploit browser vulnerabilities, leading to unauthorised access and data breaches. These attacks don't just risk user data; they can erode trust, damage reputations, and result in significant financial and legal repercussions for businesses.
HTTP security headers are practical controls for these types of attacks. Properly implemented, they instruct browsers on how to handle website content and interactions safely.
Key HTTP Security Headers
Content-Security-Policy (CSP)
Purpose: CSP prevents Cross-Site Scripting (XSS) attacks by specifying which sources browsers should allow when loading scripts, images, and other resources. It can also prevent MageCart-style attacks by restricting the host names that an injected script can communicate with.
Content-Security-Policy: script-src 'self' https://apis.google.com;
This example allows scripts to load only from the site's own domain ('self') and https://apis.google.com.
X-Frame-Options
Purpose: This header protects against clickjacking attacks by controlling whether a browser allows a page to
be rendered in a <frame>, <iframe>, <embed>, or <object>.
X-Frame-Options: DENY
This setting prevents any domain from framing the content. Another option is SAMEORIGIN, which only allows framing by
the same site.
X-Content-Type-Options
Purpose: This header prevents MIME-sniffing, where a browser might incorrectly interpret the content type of a resource, leading to security vulnerabilities.
X-Content-Type-Options: nosniff
This instructs the browser to follow the content type declared in the HTTP headers.
X-XSS-Protection
Purpose: This enables the browser's inbuilt XSS protection features. However, this header is largely deprecated in favour of CSP.
X-XSS-Protection: 1; mode=block
This configuration enables the protection and tells the browser to block the page if an XSS attack is detected.
Strict-Transport-Security (HSTS)
Purpose: HSTS forces the browser to use HTTPS over HTTP, ensuring encrypted communication and protecting against man-in-the-middle attacks. Alternatively, you can automatically redirect all requests to HTTPS on your web server or at your EDGE provider. For example, Peakhour allows you to set up EDGE redirects to force all traffic to HTTPS.
Strict-Transport-Security: max-age=31536000; includeSubDomains
This example tells the browser to use HTTPS for all subdomains for one year.
Conclusion
Implementing the correct HTTP security headers is a straightforward way to improve web application security. These headers form part of the first line of defence against many common security vulnerabilities. As threats evolve, keeping security headers current and properly configured helps safeguard your users and your brand.
