SlideShare a Scribd company logo

Http security response headers

M
mohammadhosseinrouha

You must have encountered the following image when using screaming frog. Many websites do not have these parameters when crawling by screaming frog. One of the most important issues for search engines is security.

Technology
1 of 21
Download to read offline
HTTP Security Response Headers Mohammad Hossein Rouhani
HTTP Strict Transport Security HTTP StrictTransport Security response header forces a user to use the HTTPS connection for all of the assets of the web page. Header values – max-age – includeSubDomains – Preload Strict-Transport-Security: max-age=31536000; includeSubDomains Example: Mohammad Hossein Rouhani
HTTP Strict Transport Security Mohammad Hossein Rouhani
X-Frame Options The X-frame-options security-related response header prevents a third party to render the content of the website within the iframe for another website. Header values – Sameorigin – Allow-from – Deny X-Frame Options: DENY Example: Mohammad Hossein Rouhani
X-Frame Options Mohammad Hossein Rouhani
X-XSS-Protection It is used to prevent XSS (Cross-site Scripting) attacks. Cross-site Scripting is injecting harmful JavaScript codes into the JS Files of the website to gather the information related to the website users. Header values – “1”: “1” – “0”: “0” – “1;mode=block” X-XSS-Protection: 1; mode=block Example: Mohammad Hossein Rouhani
X-XSS-Protection Mohammad Hossein Rouhani
X-Content-Type-Options X-Content-Type-Options is a security-related response header to protect the web users and websites against the Multipurpose Internet Mail Extensions (MIME) type confusion attacks X-Content-Type-Options: nosniff Example: Mohammad Hossein Rouhani
Content-Security-Policy Content Security Policy (CSP) is a defense response header against the XSS Attacks and Clickjacking. CSP is a detailed security-related policy protocol for websites. Content-Security-Policy: default-src 'self' https://holisticseo.digital; connect-src 'none'; Example: Mohammad Hossein Rouhani
Content-Security-Policy Mohammad Hossein Rouhani
Referrer Policy The referrer policy response header protects the domain information during a click event for a new domain. Referrer-Policy determines what information related to the referrer domain will be shared. <meta name="referrer" content="origin"> Example: Mohammad Hossein Rouhani Header values • no-referrer”, • “no-referrer-when-downgrade”, • “origin”, • “origin-when-cross-origin”, • “same-origin”, • “strict-origin”, • “strict-origin-when-cross-origin”, “unsafe-url”
Referrer Policy Mohammad Hossein Rouhani
Feature Policy Feature policy is a similar security-related HTTP response header to the permissions policy.The main difference between the feature policy and the permissions policy response headers is that the feature policy is valid for only the website’s own content, and frame while the permissions policy can be effective for all of the websites. Feature-Policy: autoplay 'none’ Feature-Policy : geolocation="https://google-developers.appspot.com" Example: Mohammad Hossein Rouhani
Expect-CT Expect-CT HTTP Header is to make a website to use Certificate Transparency requirements. If a website uses a misused certificate, it will be reported to the report URI. Header values • Report-uri • Max-age • enforce Expect-CT: max-age=86400, enforce, report- uri="https://report.example/" Example: Mohammad Hossein Rouhani
Clear-Site-Data If a web user logs out from the website, a website can clear all of the related cookies, and caches for the related website via a log-out web page. Clear-site-data is helpful for web developers to control the cache, cookies, and storage of the website within the devices and web browsers of the users. Clear-Site-Data: "cache", "cookies", "storage", "executionContexts" Example: Mohammad Hossein Rouhani Header values • Cache • ExecutionContexts • Cookies • Storage • localStorage • *
Cross-Origin-Embedder-Policy Cross-Origin-Embedder-Policy (COEP) response header is to prevent an HTML Document to load a cross-origin resource without the document permission. Cross-Origin-Embedder-Policy security response header has two directives. Header values • require-corp • same-origin Cross-Origin-Embedder-Policy: require-corp Example: Mohammad Hossein Rouhani
Cross-Origin-Embedder-Policy Mohammad Hossein Rouhani
Cross-Origin-Opener-Policy A web browser can group different windows within the same browsing context. A document can make a request to the previous document’s resources if the second document is opened via the first document. Thus, using the noreferrer, and nopeener is important in the same context. Cross-Origin-Opener-Policy: same-origin Example: Mohammad Hossein Rouhani Header values • “unsafe-origin”, • “same-origin-allow-popups”, • “same-origin”
Cross-Origin-Opener-Policy Mohammad Hossein Rouhani
Cross-Origin-Resource-Policy The Cross-Origin-Resource policy has three directives.The directives of the Cross-Origin-Resource-Policy Security Header are “same-site”, “same-origin”, “cross-origin”.These directives can be used to make a certain type of resource to be used within the same website, same origin, or the cross-origins. Cross-Origin-Opener-Policy: same-origin Example: Mohammad Hossein Rouhani Header values • “unsafe-origin”, • “same-origin-allow-popups”, • “same-origin”
Read More https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers https://www.holisticseo.digital/technical-seo/http- header/response/security Mohammad Hossein Rouhani

Recommended

HTTP Security Headers
HTTP Security HeadersHTTP Security Headers
HTTP Security HeadersIsmael Goncalves
 
W3C Content Security Policy
W3C Content Security PolicyW3C Content Security Policy
W3C Content Security PolicyMarkus Wichmann
 
Content security policy
Content security policyContent security policy
Content security policyRonan Dunne, CEH, SSCP
 
Content Security Policy
Content Security PolicyContent Security Policy
Content Security PolicyAustin Gil
 
Preventing XSS with Content Security Policy
Preventing XSS with Content Security PolicyPreventing XSS with Content Security Policy
Preventing XSS with Content Security PolicyKsenia Peguero
 
Cross Origin Resource Sharing
Cross Origin Resource SharingCross Origin Resource Sharing
Cross Origin Resource SharingLuke Weerasooriya
 
CORS and (in)security
CORS and (in)securityCORS and (in)security
CORS and (in)securityn|u - The Open Security Community
 
Session1-Introduce Http-HTTP Security headers
Session1-Introduce Http-HTTP Security headers Session1-Introduce Http-HTTP Security headers
Session1-Introduce Http-HTTP Security headers zakieh alizadeh
 

Recommended

HTTP Security Headers
HTTP Security HeadersHTTP Security Headers
HTTP Security HeadersIsmael Goncalves
 
W3C Content Security Policy
W3C Content Security PolicyW3C Content Security Policy
W3C Content Security PolicyMarkus Wichmann
 
Content security policy
Content security policyContent security policy
Content security policyRonan Dunne, CEH, SSCP
 
Content Security Policy
Content Security PolicyContent Security Policy
Content Security PolicyAustin Gil
 
Preventing XSS with Content Security Policy
Preventing XSS with Content Security PolicyPreventing XSS with Content Security Policy
Preventing XSS with Content Security PolicyKsenia Peguero
 
Cross Origin Resource Sharing
Cross Origin Resource SharingCross Origin Resource Sharing
Cross Origin Resource SharingLuke Weerasooriya
 
CORS and (in)security
CORS and (in)securityCORS and (in)security
CORS and (in)securityn|u - The Open Security Community
 
Session1-Introduce Http-HTTP Security headers
Session1-Introduce Http-HTTP Security headers Session1-Introduce Http-HTTP Security headers
Session1-Introduce Http-HTTP Security headers zakieh alizadeh
 
Cross-domain requests with CORS
Cross-domain requests with CORSCross-domain requests with CORS
Cross-domain requests with CORSVladimir Dzhuvinov
 
Click jacking
Click jackingClick jacking
Click jackingRonan Dunne, CEH, SSCP
 
HTTP Request and Response Structure
HTTP Request and Response StructureHTTP Request and Response Structure
HTTP Request and Response StructureBhagyashreeGajera1
 
Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Barrel Software
 
Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)Daniel Tumser
 
Reverse proxies & Inconsistency
Reverse proxies & InconsistencyReverse proxies & Inconsistency
Reverse proxies & InconsistencyGreenD0g
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Amit Tyagi
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scriptingkinish kumar
 
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)Marco Balduzzi
 
Cross site scripting (xss)
Cross site scripting (xss)Cross site scripting (xss)
Cross site scripting (xss)Manish Kumar
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?Yurii Bilyk
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015CODE BLUE
 
In the DOM, no one will hear you scream
In the DOM, no one will hear you screamIn the DOM, no one will hear you scream
In the DOM, no one will hear you screamMario Heiderich
 
HTTP Basics
HTTP BasicsHTTP Basics
HTTP Basicssanjoysanyal
 
ASP.NET Web Security
ASP.NET Web SecurityASP.NET Web Security
ASP.NET Web SecuritySharePointRadi
 
File system node js
File system node jsFile system node js
File system node jsmonikadeshmane
 
Http headers
Http headersHttp headers
Http headersJudy Ngure
 
HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsneexemil
 
What should a hacker know about WebDav?
What should a hacker know about WebDav?What should a hacker know about WebDav?
What should a hacker know about WebDav?Mikhail Egorov
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodologybugcrowd
 
Analysis of HTTP Security Headers in Turkey
Analysis of HTTP Security Headers in TurkeyAnalysis of HTTP Security Headers in Turkey
Analysis of HTTP Security Headers in TurkeyDr. Emin İslam Tatlı
 
HTTP_Header_Security.pdf
HTTP_Header_Security.pdfHTTP_Header_Security.pdf
HTTP_Header_Security.pdfksudhakarreddy5
 

More Related Content

What's hot

Cross-domain requests with CORS
Cross-domain requests with CORSCross-domain requests with CORS
Cross-domain requests with CORSVladimir Dzhuvinov
 
HTTP Request and Response Structure
HTTP Request and Response StructureHTTP Request and Response Structure
HTTP Request and Response StructureBhagyashreeGajera1
 
Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Barrel Software
 
Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)Daniel Tumser
 
Reverse proxies & Inconsistency
Reverse proxies & InconsistencyReverse proxies & Inconsistency
Reverse proxies & InconsistencyGreenD0g
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Amit Tyagi
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scriptingkinish kumar
 
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)Marco Balduzzi
 
Cross site scripting (xss)
Cross site scripting (xss)Cross site scripting (xss)
Cross site scripting (xss)Manish Kumar
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?Yurii Bilyk
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015CODE BLUE
 
In the DOM, no one will hear you scream
In the DOM, no one will hear you screamIn the DOM, no one will hear you scream
In the DOM, no one will hear you screamMario Heiderich
 
HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsneexemil
 
What should a hacker know about WebDav?
What should a hacker know about WebDav?What should a hacker know about WebDav?
What should a hacker know about WebDav?Mikhail Egorov
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodologybugcrowd
 

What's hot (20)

Cross-domain requests with CORS
Cross-domain requests with CORSCross-domain requests with CORS
Cross-domain requests with CORS
 
Click jacking
Click jackingClick jacking
Click jacking
 
HTTP Request and Response Structure
HTTP Request and Response StructureHTTP Request and Response Structure
HTTP Request and Response Structure
 
Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Cross Site Scripting (XSS)
Cross Site Scripting (XSS)
 
Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)
 
Reverse proxies & Inconsistency
Reverse proxies & InconsistencyReverse proxies & Inconsistency
Reverse proxies & Inconsistency
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
 
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
 
Cross site scripting (xss)
Cross site scripting (xss)Cross site scripting (xss)
Cross site scripting (xss)
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
 
In the DOM, no one will hear you scream
In the DOM, no one will hear you screamIn the DOM, no one will hear you scream
In the DOM, no one will hear you scream
 
HTTP Basics
HTTP BasicsHTTP Basics
HTTP Basics
 
ASP.NET Web Security
ASP.NET Web SecurityASP.NET Web Security
ASP.NET Web Security
 
File system node js
File system node jsFile system node js
File system node js
 
Http headers
Http headersHttp headers
Http headers
 
HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versions
 
What should a hacker know about WebDav?
What should a hacker know about WebDav?What should a hacker know about WebDav?
What should a hacker know about WebDav?
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodology
 

Similar to Http security response headers

Analysis of HTTP Security Headers in Turkey
Analysis of HTTP Security Headers in TurkeyAnalysis of HTTP Security Headers in Turkey
Analysis of HTTP Security Headers in TurkeyDr. Emin İslam Tatlı
 
HTTP_Header_Security.pdf
HTTP_Header_Security.pdfHTTP_Header_Security.pdf
HTTP_Header_Security.pdfksudhakarreddy5
 
QA Fest 2016. Per Thorsheim. Website security 101
QA Fest 2016. Per Thorsheim. Website security 101QA Fest 2016. Per Thorsheim. Website security 101
QA Fest 2016. Per Thorsheim. Website security 101QAFest
 
Protecting Web App users in today’s hostile environment
Protecting Web App users in today’s hostile environmentProtecting Web App users in today’s hostile environment
Protecting Web App users in today’s hostile environmentajitdhumale
 
List of useful security related http headers
List of useful security related http headersList of useful security related http headers
List of useful security related http headers한익 주
 
http security response headers for web security
http security response headers for web securityhttp security response headers for web security
http security response headers for web securityOlatunji Adetunji
 
Browser Wars 2019 - Implementing a Content Security Policy
Browser Wars 2019 - Implementing a Content Security PolicyBrowser Wars 2019 - Implementing a Content Security Policy
Browser Wars 2019 - Implementing a Content Security PolicyGeorge Boobyer
 
Tsc summit #2 - HTTP Header Security
Tsc summit #2 - HTTP Header SecurityTsc summit #2 - HTTP Header Security
Tsc summit #2 - HTTP Header SecurityMikal Villa
 
Ignite content security policy
Ignite content security policyIgnite content security policy
Ignite content security policyjstack
 
Securing the client side web
Securing the client side webSecuring the client side web
Securing the client side webSC5.io
 
Why Traditional Web Security Technologies no Longer Suffice to Keep You Safe
Why Traditional Web Security Technologies no Longer Suffice to Keep You SafeWhy Traditional Web Security Technologies no Longer Suffice to Keep You Safe
Why Traditional Web Security Technologies no Longer Suffice to Keep You SafePhilippe De Ryck
 
Content Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooContent Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooBinu Ramakrishnan
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesBrad Hill
 
Csp and http headers
Csp and http headersCsp and http headers
Csp and http headersdevObjective
 
Cabeçalhos de Segurança HTTP
Cabeçalhos de Segurança HTTPCabeçalhos de Segurança HTTP
Cabeçalhos de Segurança HTTPIsmael Goncalves
 
How to Redirect HTTP to HTTPS in htaccess.pdf
How to Redirect HTTP to HTTPS in htaccess.pdfHow to Redirect HTTP to HTTPS in htaccess.pdf
How to Redirect HTTP to HTTPS in htaccess.pdfHost It Smart
 
Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015Francois Marier
 

Similar to Http security response headers (20)

Analysis of HTTP Security Headers in Turkey
Analysis of HTTP Security Headers in TurkeyAnalysis of HTTP Security Headers in Turkey
Analysis of HTTP Security Headers in Turkey
 
HTTP_Header_Security.pdf
HTTP_Header_Security.pdfHTTP_Header_Security.pdf
HTTP_Header_Security.pdf
 
QA Fest 2016. Per Thorsheim. Website security 101
QA Fest 2016. Per Thorsheim. Website security 101QA Fest 2016. Per Thorsheim. Website security 101
QA Fest 2016. Per Thorsheim. Website security 101
 
Protecting Web App users in today’s hostile environment
Protecting Web App users in today’s hostile environmentProtecting Web App users in today’s hostile environment
Protecting Web App users in today’s hostile environment
 
List of useful security related http headers
List of useful security related http headersList of useful security related http headers
List of useful security related http headers
 
http security response headers for web security
http security response headers for web securityhttp security response headers for web security
http security response headers for web security
 
Browser Wars 2019 - Implementing a Content Security Policy
Browser Wars 2019 - Implementing a Content Security PolicyBrowser Wars 2019 - Implementing a Content Security Policy
Browser Wars 2019 - Implementing a Content Security Policy
 
Tsc summit #2 - HTTP Header Security
Tsc summit #2 - HTTP Header SecurityTsc summit #2 - HTTP Header Security
Tsc summit #2 - HTTP Header Security
 
Xssandcsrf
XssandcsrfXssandcsrf
Xssandcsrf
 
Ignite content security policy
Ignite content security policyIgnite content security policy
Ignite content security policy
 
Securing the client side web
Securing the client side webSecuring the client side web
Securing the client side web
 
Why Traditional Web Security Technologies no Longer Suffice to Keep You Safe
Why Traditional Web Security Technologies no Longer Suffice to Keep You SafeWhy Traditional Web Security Technologies no Longer Suffice to Keep You Safe
Why Traditional Web Security Technologies no Longer Suffice to Keep You Safe
 
Content Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooContent Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at Yahoo
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
 
Csp and http headers
Csp and http headersCsp and http headers
Csp and http headers
 
Csp and http headers
Csp and http headersCsp and http headers
Csp and http headers
 
Cabeçalhos de Segurança HTTP
Cabeçalhos de Segurança HTTPCabeçalhos de Segurança HTTP
Cabeçalhos de Segurança HTTP
 
How to Redirect HTTP to HTTPS in htaccess.pdf
How to Redirect HTTP to HTTPS in htaccess.pdfHow to Redirect HTTP to HTTPS in htaccess.pdf
How to Redirect HTTP to HTTPS in htaccess.pdf
 
Attacking Web Proxies
Attacking Web ProxiesAttacking Web Proxies
Attacking Web Proxies
 
Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015
 

Recently uploaded

"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfSeasiaInfotech2
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesZilliz
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 

Recently uploaded (20)

"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdf
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector Databases
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 

Http security response headers

  • 1. HTTP Security Response Headers Mohammad Hossein Rouhani
  • 2. HTTP Strict Transport Security HTTP StrictTransport Security response header forces a user to use the HTTPS connection for all of the assets of the web page. Header values – max-age – includeSubDomains – Preload Strict-Transport-Security: max-age=31536000; includeSubDomains Example: Mohammad Hossein Rouhani
  • 3. HTTP Strict Transport Security Mohammad Hossein Rouhani
  • 4. X-Frame Options The X-frame-options security-related response header prevents a third party to render the content of the website within the iframe for another website. Header values – Sameorigin – Allow-from – Deny X-Frame Options: DENY Example: Mohammad Hossein Rouhani
  • 6. X-XSS-Protection It is used to prevent XSS (Cross-site Scripting) attacks. Cross-site Scripting is injecting harmful JavaScript codes into the JS Files of the website to gather the information related to the website users. Header values – “1”: “1” – “0”: “0” – “1;mode=block” X-XSS-Protection: 1; mode=block Example: Mohammad Hossein Rouhani
  • 8. X-Content-Type-Options X-Content-Type-Options is a security-related response header to protect the web users and websites against the Multipurpose Internet Mail Extensions (MIME) type confusion attacks X-Content-Type-Options: nosniff Example: Mohammad Hossein Rouhani
  • 9. Content-Security-Policy Content Security Policy (CSP) is a defense response header against the XSS Attacks and Clickjacking. CSP is a detailed security-related policy protocol for websites. Content-Security-Policy: default-src 'self' https://holisticseo.digital; connect-src 'none'; Example: Mohammad Hossein Rouhani
  • 11. Referrer Policy The referrer policy response header protects the domain information during a click event for a new domain. Referrer-Policy determines what information related to the referrer domain will be shared. <meta name="referrer" content="origin"> Example: Mohammad Hossein Rouhani Header values • no-referrer”, • “no-referrer-when-downgrade”, • “origin”, • “origin-when-cross-origin”, • “same-origin”, • “strict-origin”, • “strict-origin-when-cross-origin”, “unsafe-url”
  • 13. Feature Policy Feature policy is a similar security-related HTTP response header to the permissions policy.The main difference between the feature policy and the permissions policy response headers is that the feature policy is valid for only the website’s own content, and frame while the permissions policy can be effective for all of the websites. Feature-Policy: autoplay 'none’ Feature-Policy : geolocation="https://google-developers.appspot.com" Example: Mohammad Hossein Rouhani
  • 14. Expect-CT Expect-CT HTTP Header is to make a website to use Certificate Transparency requirements. If a website uses a misused certificate, it will be reported to the report URI. Header values • Report-uri • Max-age • enforce Expect-CT: max-age=86400, enforce, report- uri="https://report.example/" Example: Mohammad Hossein Rouhani
  • 15. Clear-Site-Data If a web user logs out from the website, a website can clear all of the related cookies, and caches for the related website via a log-out web page. Clear-site-data is helpful for web developers to control the cache, cookies, and storage of the website within the devices and web browsers of the users. Clear-Site-Data: "cache", "cookies", "storage", "executionContexts" Example: Mohammad Hossein Rouhani Header values • Cache • ExecutionContexts • Cookies • Storage • localStorage • *
  • 16. Cross-Origin-Embedder-Policy Cross-Origin-Embedder-Policy (COEP) response header is to prevent an HTML Document to load a cross-origin resource without the document permission. Cross-Origin-Embedder-Policy security response header has two directives. Header values • require-corp • same-origin Cross-Origin-Embedder-Policy: require-corp Example: Mohammad Hossein Rouhani
  • 18. Cross-Origin-Opener-Policy A web browser can group different windows within the same browsing context. A document can make a request to the previous document’s resources if the second document is opened via the first document. Thus, using the noreferrer, and nopeener is important in the same context. Cross-Origin-Opener-Policy: same-origin Example: Mohammad Hossein Rouhani Header values • “unsafe-origin”, • “same-origin-allow-popups”, • “same-origin”
  • 20. Cross-Origin-Resource-Policy The Cross-Origin-Resource policy has three directives.The directives of the Cross-Origin-Resource-Policy Security Header are “same-site”, “same-origin”, “cross-origin”.These directives can be used to make a certain type of resource to be used within the same website, same origin, or the cross-origins. Cross-Origin-Opener-Policy: same-origin Example: Mohammad Hossein Rouhani Header values • “unsafe-origin”, • “same-origin-allow-popups”, • “same-origin”