. Let’s take a closer look at some of these security headers and learn how to customize them to better meet your needs. The
1. The X-frame option xfo (X-FRAME-OPTIONS) indicates how the browser works when processing site content, thus providing the function of preventing click replay. Click replay occurs when an attacker uses transparent iframe to trick a visitor into interacting with hidden elements such as buttons. By default, xfo does not allow pages to be rendered in a frame, regardless of the content source. This protects visitors from xfo based attacks. However, if these preferences cause availability problems, you can switch to the same source option. With this setting, you can load a page from the same frame as the page itself, so you must solve all problems in your content. The
You can select the androg or allow from URI instruction. This setting allows the page to be loaded into the frame of the specified source or domain. When this option is selected, you can access the field for entering the URI (Uniform Resource Identifier) to be added to the whitelist. Male 2 The x-xss-protectx-xss-protection header prevents pages from being loaded when XSS (cross site scripting) attacks are detected. After successfully attacking XSS, hackers may run malicious code on the server or visitors’ browsers. This includes code that can perform various actions, such as stealing visitors’ personal information or redirecting them to completely different websites. The
By default, this title is set to 1. Mode = shielded. That is, if an XSS attack is detected, the browser deletes the page and prevents rendering. The alternatives are 1. This option deletes the page, but does not prevent it from being rendered. The redirection plug-in supports 1 degree. Report= maledirective. This property deletes the page, but also reports violations using the report URI directive. 3.x-content type option this response header indicates that the mime (Multipurpose Internet mail extensions) type promoted in the content type header should not be changed. This may be an important line of defense for content scanning. The
As part of this attack, MIME types that cannot be executed by third parties are converted to executable types. Then, you can try to upload malicious content to the website disguised as other content. By default, the x-content-type-options header of redirection uses the nosniff instruction. If the target is of type style and the MIME type is not text\/css, all requests will be blocked. If the target is a script type and the MIME type is not a JavaScript MIME type, the request is blocked. If these settings exist, the browser must use the MIME type sent from the source server. The
The nosniff instruction also enables CORBA (prevent cross source reading) protection for multiple MIME types, including text\/html and application\/json. CORBA is an algorithm that can identify and prevent cross source resource loads before a web browser arrives at a page. In most browsers, this makes it harder for hackers to steal data because it protects sensitive information in the context of unreliable script execution. 4. content security policy redirected content security policy (CSP) adds an additional security layer to help strengthen the site and avoid several common attacks. By default, redirection uses: The
Default SRC’self’; Script SRC’unsafe inline”unsafe eval’ htt
p: ; Style SRC’unsafe inline’http:; IMG SRC http: data:; Font SRC http: data:; Sandbox allow forms allow scripts indicates that all content must start from the domain of the site itself, and defines valid sources for images and fonts. This may cause the browser to fail to load untrusted resources. You can also use the sandbox attribute to set additional restriction sets for the contents of an iframe. As you can see from the default properties of the redirection plug-in, this may be a list separated by spaces of predefined values. In sandbox allow forms allow scripts, redirection allows forms and scripts to be submitted. Since CP is a huge topic, it is recommended that you view a complete list of all possible values to see the various security policies that can be generated. 5. when creating recommender policy content, it usually includes links to external websites. Each time a visitor clicks one of the links, the target site receives information about where the person comes from. The error data can be very useful for websites to understand traffic. However, sometimes it may be necessary to limit the amount of information shared with these third parties. This is particularly important when the source contains sensitive data that identifies users. If the personal information between the sources is leaked, the personal information of the audience will be damaged, and hackers can get more information to work. The referer policy allows you to control the amount of data transferred through the referer header. By default, the redirection plug-in uses the no refer when demotion value. In this way, when a browser moves from HTTPS to less secure http, it cannot send a reference header. You can replace no referrer when degradation with various alternative values. Possible options include the no referer indicated to the browser to avoid sending requests and referer headers from the website. To learn more about the reference party policy values, see the MDN web documentation. Conclusion website owners should protect CMS from widespread attacks. The HTTP security header can restrict the operations that the server and browser can perform, which is very important to protect the site from major security threats. Let’s summarize the five HTTP security headers that can be added to the site using the redirection plug-in. X-frame- options x-xss-protection x-content type – optional content security policy recommender policy is there a problem with these HTTP security headers? Please ask questions in the comments section below!
