There are a lot of things to consider to when securing your website or web application, but most people forgetting about securing HTTP Response Headers. In many cases they are very easy to implement and only require a simple web server configuration change (or event PHP header implementation).
What are HTTP Security Headers Exactly?
When a user tries to access a page, his browser requests it from a web server. The server then responds with the content along with appropriate HTTP Response Headers which contain meta data, status error codes, cache rules and so on. A big subset of those headers are security headers which instruct your browser exactly how to behave when it handles your website’s content and data.
Top HTTP security headers list
|Strict Transport Security (HSTS)||Strict-Transport-Security enforces the use of HTTPS. This is important because it protects against passive eavesdropper and man-in-the-middle (MITM) attacks.|
|X-Frame-Options||X-Frame-Options prevents clickjacking attacks and helps ensure your content is not embedded into other sites via < frame >, < iframe > or < object >.|
|X-XSS-Protection||X-XSS-Protection sets the configuration for the cross-site scripting filters built into most browsers. This is important because it tells the browser to block the response if a malicious script has been inserted from a user input.|
|X-Content-Type-Options||X-Content-Type-Options stops a browser from trying to MIME-sniff the content type and forces it to stick with the declared content-type. This is important because the browser will only load external resources if their content-type matches what is expected, and not malicious hidden code.|
|Public-Key-Pins||The Public Key Pinning Extension for HTML5 (HPKP) is a security feature that tells a web client to associate a specific cryptographic public key with a certain web server to decrease the risk of MITM attacks with forged certificates.|
|X-Permitted-Cross-Domain-Policies||X-Permitted-Cross-Domain-Policies is an XML document that grants a web client, such as Adobe Flash Player or Adobe Acrobat (though not necessarily limited to these), permission to handle data across domains.|
|Referrer-Policy||Referrer-Policy allows control/restriction of the amount of information present in the referral header for links away from your page—the URL path or even if the header is sent at all.|
|Expect-CT||Certificate Transparency policy means that user-agents, e.g. browsers should block an access to a website with a certificate that is not registered in public CT logs (after October 2017).|