in Resources

How to Implement Security HTTP Headers to Prevent Vulnerabilities

Securing your web applications and APIs against cyber threats should be a top priority. As a fellow cybersecurity geek, I want to provide you with an in-depth guide on properly implementing security HTTP headers to protect your sites and services. Consider this your handbook to locking things down and keeping the hackers at bay!

Why HTTP Security Headers are Essential

Before we dig into the implementation details, it‘s important to understand why headers like Content-Security-Policy and Strict-Transport-Security should be part of your security strategy.

According to recent statistics compiled by WhiteHat Security, over 83% of websites have at least one serious vulnerability. The most common include XSS, code injection, and TLS/SSL misconfigurations. Many of these can be prevented or substantially mitigated by using proper HTTP headers.

For example, HSTS forces HTTPS connections for an entire domain to prevent man-in-the-middle attacks. X-Frame-Options stops clickjacking by preventing site embedding. And Content-Security-Policy blocks untrusted resources like scripts and stylesheets to stop code injection.

Simply put, security headers configure your site‘s security posture on behalf of the browser. They restrict risky behaviors and content so the browser is forced to act in a secure manner.

Must-Have HTTP Security Headers

Now that you understand their importance, let‘s explore some of the most impactful headers:

Strict-Transport-Security

HSTS, as it‘s commonly called, forces browsers to use HTTPS for the configured domain. Some key points:

  • Specifies a "max-age" in seconds to enforce HTTPS for (like 1 year)
  • Applies to the base domain and all subdomains when using "includeSubDomains"
  • Can be submitted to browsers for "preloading" as an HTTPS-only site

Example Header:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

This strengthens TLS security across the entire site.

Content-Security-Policy

CSP mitigates XSS, code injection, data injection and other attacks by restricting a page‘s resource origins.

  • Defines allowed sources for scripts, stylesheets, fonts, frames, media, etc.
  • Inline code execution is disabled by default.
  • Report-Only mode allows monitoring before enforcing.

Example Header: 

Content-Security-Policy: default-src ‘self‘; script-src ‘self‘ https://apis.google.com; style-src ‘self‘ https://fonts.googleapis.com;

This allows scripts only from the same origin and Google APIs, and styles only from the same origin and Google Fonts.

X-Frame-Options

Clickjacking is a technique for tricking users into interacting with an invisible iframe overlay over a page. X-Frame-Options prevents this by restricting iframe embedding.

Example Header:

X-Frame-Options: DENY

This blocks your site from being loaded in any iframe. You can also allow embedding only from the same origin for more granular control.

Referrer-Policy

The Referer header discloses the source page that led to a request, which can leak sensitive information. Referrer-Policy controls how much referrer data is sent.

Example Header:

Referrer-Policy: no-referrer

This strips the referrer header entirely for all outgoing links from a page. The default is to always send the full URL which can be risky.

Securing Your Web Server

Let‘s look at how to configure these key headers within common platforms:

Apache

Add the security header directives within the main config file httpd.conf:

<IfModule mod_headers.c>

  Header set Content-Security-Policy "default-src ‘self‘"
  Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" 
  Header set X-Frame-Options: "DENY"
  Header set Referrer-Policy "no-referrer"

</IfModule>

Don‘t forget to reload Apache after making changes.

Nginx

Insert the header lines within the main server { } block in nginx.conf:

add_header Content-Security-Policy "default-src ‘self‘";
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
add_header X-Frame-Options "DENY"; 
add_header Referrer-Policy "no-referrer";

Then reload Nginx.

Cloudflare

Most headers can be configured directly within the dashboard. Navigate to "HTTP Headers" and create a new header for each policy required.

Azure Front Door

In the Front Door designer, add a new Rule Set for "Request Header Modification". Create rules to add each of the desired security headers.

Amazon CloudFront

Under "Cache Behaviors" you can add "Cache Policy Headers" for security policies like CSP. Alternately, use Lambda@Edge functions.

Bonus Headers for Locking Down Security

Here are some other powerful headers to consider:

  • X-XSS-Protection – Enables browser built-in XSS attack protections
  • X-Content-Type-Options – Stops MIME sniffing attacks
  • Feature-Policy – Disables browser features like geolocation, camera, microphone, etc.
  • Expect-CT – Enforces Certificate Transparency for strong TLS

I also recommend disabling resource caching for sensitive pages using:

Cache-Control: no-store

And preventing tabnabbing with:

X-Frame-Options: SAMEORIGIN

The more you can lock down with headers, the better!

Putting It All Together

Properly implementing security headers can seem intimidating, but just remember:

  • Enforce TLS and prevent MITM with HSTS
  • Block code injection with strong CSP
  • Disable framing/embedding with X-Frame-Options
  • Limit referrer leakage with Referrer-Policy
  • Consider additional protections like X-XSS-Protection

Taking the time to configure these key headers will significantly strengthen your site‘s posture against cyber threats. It‘s an easy "set and forget" way to meaningfully improve security.

Let me know if you have any other questions! I‘m always happy to help a fellow geek out.

AlexisKestler

Written by Alexis Kestler

A female web designer and programmer - Now is a 36-year IT professional with over 15 years of experience living in NorCal. I enjoy keeping my feet wet in the world of technology through reading, working, and researching topics that pique my interest.