HTTP headers for security

Browsers, on the one hand, want to enhance user security, and on the other hand, they want to simplify the work of programmers when working with the site. By making concessions, browsers by default allow certain types of attacks on the site.

To prevent them, add the following headers to your server settings:

Content-Security-Policy: form-action 'self'; frame-ancestors 'none'; upgrade-insecure-requests - this header does 3 things: allows the submission of forms from your site only to itself, prohibits the display of pages of your site in an iFrame and instructs the browser that the files for pages were loaded only using a secure protocol.
X-Frame-Options - this header is already outdated. Its function is performed by the ‘frame-ancestors ‘none’ instruction of the Content-Security-Policy header. But in the absence of such, we check the presence of this header.
Access-Control-Allow-Origin must not be equal to *. This header allows downloading files from any source.
X-Content-Type-Options: nosniff - for HTML, XML, CSS, JavaScript files, specify this header. It prohibits sniffing by MimeType. That is, the operation when the browser interprets the file independently, contrary to the ‘Content-Type` header.
Headers Server',X-Powered-By’, X-Aspnet-Version',X-Aspnetmvc-Version’ - must be deleted. It provides a potential attacker with information about the software used on your server.

◀ Enabled error display in the north Vulnerable JavaScript code ▶

Any comments or additions? Send us an email admin@site-alarm.com .

Check your website