Welcome to the 19th part of our Cybersecurity series! We have learned about many active attacks like XSS, CSRF, and SSRF. But did you know that you can prevent many of these attacks just by adding a few lines of configuration to your server? Today, we are talking about HTTP Security Headers.
What are HTTP Security Headers?
When you visit a website, the server sends a response. Along with the content (HTML), it sends "Headers"—hidden instructions for the browser. Security Headers tell the browser how to behave securely, preventing hackers from exploiting common web flaws.
Top 5 Security Headers Every Site Needs
To get an "A+" grade in security audits, you must implement these headers:
1. Content Security Policy (CSP)
This is the most powerful header. It tells the browser which sources of scripts, images, and styles are trusted.
Prevents: Cross-Site Scripting (XSS).
Example:
Content-Security-Policy: default-src 'self';(Only allow content from the same domain).
2. Strict-Transport-Security (HSTS)
This forces the browser to communicate only over HTTPS (encrypted), even if the user tries to visit the HTTP version.
Prevents: Man-in-the-Middle (MITM) attacks and SSL stripping.
3. X-Frame-Options
This header tells the browser whether your site can be put inside an <iframe>.
Prevents: Clickjacking attacks.
Example:
X-Frame-Options: DENY
4. X-Content-Type-Options
It stops the browser from "guessing" the type of file (MIME-sniffing).
Prevents: Attackers from uploading a malicious script disguised as an image.
Example:
X-Content-Type-Options: nosniff
5. Referrer-Policy
This controls how much information is shared in the Referer header when a user clicks a link to another site.
Prevents: Leaking sensitive internal URLs or tokens to third-party sites.
Hands-on: How to Check Your Site's Headers
You don't need expensive tools to test this. You can do it right now!
Using Browser DevTools:
Right-click on your site and select Inspect.
Go to the Network tab and refresh the page.
Click on the first request (your domain) and look at the Headers > Response Headers section.
Using SecurityHeaders.com:
Go to SecurityHeaders.com.
Enter your blog URL and click "Scan".
It will give you a grade from A+ to F based on your headers.
How to Implement Security Headers? (The Defense)
If you are using a professional server (Apache/Nginx) or a platform like Cloudflare, adding these is easy.
For Apache (.htaccess):
Header set X-Frame-Options "DENY" Header set X-Content-Type-Options "nosniff"For Nginx:
add_header X-Frame-Options "DENY"; add_header X-Content-Type-Options "nosniff";
Conclusion
Security Headers are like the "safety belt" of a car. They don't stop the accident from happening (the bug in the code), but they prevent the user from getting hurt (the attack from succeeding). Every professional web developer and pentester must know how to audit these.

Comments
Post a Comment