Menu
I've built a web application (with my favourite language Fantom!) and am in the process of locking it down from XSS and other such attacks by supplying industry standard HTTP response headers.
My question is, for which responses should the headers be set?
I could set the headers for every response, but that seems pretty wasteful given most requests will be for images, fonts, stylesheets, etc.. The Content-Security-Policy header in particular can get quite lengthy.
As a lot of the headers relate to the owning HTML page (and the Javascript contained within), I get the feeling most of them need only be set for HTML pages.
I've looked at various resources such as:
And while they explain what the headers do, they don't explain for which resources they should be used and served for!
I've made a list below of HTTP response headers and for which Content-Types I think they should be served with. But does anyone know if this is correct?
HTTP Response Header text/html All Content-Types
------------------------- --------- -----------------
Content-Security-Policy X
Referrer-Policy X
Strict-Transport-Security X
X-Content-Type-Options X
X-Frame-Options X
X-XSS-Protection X
(When I say text/html I also include application/xhtml+xml.)
Referrer-Policy is under all content types due to CSS being able to load fonts and images.
708
Request headers contain more information about the resource to be fetched, or about the client requesting the resource. Response headers hold additional information about the response, like its location or about the server providing it.
The Content-Type representation header is used to indicate the original media type of the resource (prior to any content encoding applied for sending). In responses, a Content-Type header provides the client with the actual content type of the returned content.
The HTTP headers are used to pass additional information between the clients and the server through the request and response header. All the headers are case-insensitive, headers fields are separated by colon, key-value pairs in clear-text string format.
Strict-Transport-SecurityIn the deployment recommendations of "HSTS Preload List" it is stated:
Add the
Strict-Transport-Securityheader to all HTTPS responses
In apache this would look like (note I did not include the preload directive, developers should read the HSTS Preload List's deployment recommendations first before adding that):
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=16070400; includeSubDomains" "expr=%{HTTPS} == 'on'"
</IfModule>
X-XSS-ProtectionIf you are using CSP (without allowing 'unsafe-inline') then you probably don't need to worry about X-XSS-Protection anymore:
X-XSS-Protection.Content-Security-Policy (and security-related headers in general)As a general approach, you'd at least want to add security headers to all (common) MIME-Types that are able to execute scripts:
Also, IMO consider setting a strict Referrer-Policy for ALL responses. I hope this helps :)
118
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
