I've built a web application (with my favourite language Fantom!) and am in the process of locking it down from XSS and other such attacks by supplying industry standard HTTP response headers. My question is, for which responses should the headers be set? I could set the headers for every response, but that seems pretty wasteful given most requests will be for images, fonts, stylesheets, etc.. The <code>Content-Security-Policy</code> header in particular can get quite lengthy. As a lot of the headers relate to the owning HTML page (and the Javascript contained within), I get the feeling most of them need only be set for HTML pages. I've looked at various resources such as: <ul> <li>Content Security Policy</li> <li>HSTS - RFC 6797</li> <li>X-XSS-Protection</li> <li>Mozilla Web Security Guidelines</li> </ul> And while they explain what the headers do, they don't explain for which resources they should be used and served for! I've made a list below of HTTP response headers and for which <code>Content-Types</code> I think they should be served with. But does anyone know if this is correct? <pre class="prettyprint"><code>HTTP Response Header text/html All Content-Types ------------------------- --------- ----------------- Content-Security-Policy X Referrer-Policy X Strict-Transport-Security X X-Content-Type-Options X X-Frame-Options X X-XSS-Protection X </code></pre> (When I say <code>text/html</code> I also include <code>application/xhtml+xml</code>.) <code>Referrer-Policy</code> is under all content types due to CSS being able to load fonts and images.

<h3><code>Strict-Transport-Security</code></h3> In the deployment recommendations of "HSTS Preload List" it is stated: <blockquote> Add the <code>Strict-Transport-Security</code> header to all HTTPS responses </blockquote> In apache this would look like (note I did not include the <code>preload</code> directive, developers should read the HSTS Preload List's deployment recommendations first before adding that): <pre class="prettyprint"><code><IfModule mod_headers.c> Header always set Strict-Transport-Security "max-age=16070400; includeSubDomains" "expr=%{HTTPS} == 'on'" </IfModule> </code></pre> <h3><code>X-XSS-Protection</code></h3> If you are using CSP (without allowing <code>'unsafe-inline'</code>) then you probably don't need to worry about <code>X-XSS-Protection</code> anymore: <ul> <li>Chrome has an "Intent to Deprecate and Remove the XSS Auditor".</li> <li>Firefox have not, and will not implement <code>X-XSS-Protection</code>.</li> <li>Edge retired their XSS filter </li> </ul> <h3> <code>Content-Security-Policy</code> (and security-related headers in general)</h3> As a general approach, you'd at least want to add security headers to all (common) MIME-Types that are able to execute scripts: <ul> <li>HTML</li> <li>XML</li> <li>JS (Javascript is only executed in a "browsing context", however this applicable due to JS's ability to create Workers, see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#CSP_in_workers)</li> <li>PDF - Yes really, PDF files can also execute javascript.</li> </ul> Also, IMO consider setting a strict <code>Referrer-Policy</code> for ALL responses. I hope this helps :)

For which Content-Types should I set security related HTTP response headers?

I've built a web application (with my favourite language Fantom!) and am in the process of locking it down from XSS and other such attacks by supplying industry standard HTTP response headers.

My question is, for which responses should the headers be set?

I could set the headers for every response, but that seems pretty wasteful given most requests will be for images, fonts, stylesheets, etc.. The Content-Security-Policy header in particular can get quite lengthy.

As a lot of the headers relate to the owning HTML page (and the Javascript contained within), I get the feeling most of them need only be set for HTML pages.

I've looked at various resources such as:

Content Security Policy
HSTS - RFC 6797
X-XSS-Protection
Mozilla Web Security Guidelines

And while they explain what the headers do, they don't explain for which resources they should be used and served for!

I've made a list below of HTTP response headers and for which Content-Types I think they should be served with. But does anyone know if this is correct?

HTTP Response Header       text/html  All Content-Types
-------------------------  ---------  -----------------
Content-Security-Policy        X
Referrer-Policy                               X
Strict-Transport-Security                     X
X-Content-Type-Options                        X
X-Frame-Options                X
X-XSS-Protection               X

(When I say text/html I also include application/xhtml+xml.)

Referrer-Policy is under all content types due to CSS being able to load fonts and images.

What are the contents of an HTTP request header response header?

Request headers contain more information about the resource to be fetched, or about the client requesting the resource. Response headers hold additional information about the response, like its location or about the server providing it.

What is Content-Type in response header?

The Content-Type representation header is used to indicate the original media type of the resource (prior to any content encoding applied for sending). In responses, a Content-Type header provides the client with the actual content type of the returned content.

What should HTTP headers be used for?

The HTTP headers are used to pass additional information between the clients and the server through the request and response header. All the headers are case-insensitive, headers fields are separated by colon, key-value pairs in clear-text string format.

`Strict-Transport-Security`

In the deployment recommendations of "HSTS Preload List" it is stated:

Add the Strict-Transport-Security header to all HTTPS responses

In apache this would look like (note I did not include the preload directive, developers should read the HSTS Preload List's deployment recommendations first before adding that):

<IfModule mod_headers.c>
    Header always set Strict-Transport-Security "max-age=16070400; includeSubDomains" "expr=%{HTTPS} == 'on'"
</IfModule>

`X-XSS-Protection`

If you are using CSP (without allowing 'unsafe-inline') then you probably don't need to worry about X-XSS-Protection anymore:

Chrome has an "Intent to Deprecate and Remove the XSS Auditor".
Firefox have not, and will not implement X-XSS-Protection.
Edge retired their XSS filter

`Content-Security-Policy` (and security-related headers in general)

As a general approach, you'd at least want to add security headers to all (common) MIME-Types that are able to execute scripts:

HTML
XML
JS (Javascript is only executed in a "browsing context", however this applicable due to JS's ability to create Workers, see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#CSP_in_workers)
PDF - Yes really, PDF files can also execute javascript.

Also, IMO consider setting a strict Referrer-Policy for ALL responses. I hope this helps :)

For which Content-Types should I set security related HTTP response headers?

Tags:

http-headers

security

x-frame-options

content-security-policy

strict-transport-security

Steve Eynon

People also ask

1 Answers

`Strict-Transport-Security`

`X-XSS-Protection`

`Content-Security-Policy` (and security-related headers in general)

Null

Recent Activity

Donate For Us

For which Content-Types should I set security related HTTP response headers?

Tags:

http-headers

security

x-frame-options

content-security-policy

strict-transport-security

Steve Eynon

People also ask

1 Answers

Strict-Transport-Security

X-XSS-Protection

Content-Security-Policy (and security-related headers in general)

Null

Related questions

Recent Activity

Donate For Us

`Strict-Transport-Security`

`X-XSS-Protection`

`Content-Security-Policy` (and security-related headers in general)