Cytrus Logic regularly does security scans of websites for statistical purposes. In almost 85% of the scans, there are no security headers installed on the sites we scan.
These scans allow us to create statistics and create tools and procedures to better protect our clients and their sites from malicious code and exploits.
Security headers give an extra level of protection to your website.
HTTP Strict Transport Security Header
HSTS (HTTP Strict Transport Security) is an HTTP Header that protects from attacks like cookie hijacking by forcing browsers to use the HTTPS secure protocol if it is available. This means that it forces the site to encrypt the data being sent. This makes it so that people cannot grab the data in transport and get vital information being sent.
Most web hosts do not enforce this by default. In order to turn this feature on you need to add the following to your .htaccess file
<IfModule mod_headers.c> Header set Strict-Transport-Security “max-age=10886400; includeSubDomains; preload” </IfModule>
The X-Content-Type-Options response HTTP header is a marker used by the server to indicate that the MIME types advertised in the Content-Type headers should not be changed and be followed.
Although MIME sniffing can be useful to determine an asset’s correct file format, it can also cause a security vulnerability. This is a serious vulnerability to the site as well as anyone visiting the site. It leaves them open to an XSS(Cross-Site Scripting) attack. This is where malicious code can be inserted and exploit both the site and the user of the site.
To defend against this type of attack you should add the following to the .htaccess file
Header set X-Frame-Options DENY
The HTTP X-XSS-Protection response header is used to tell a browser that if it detects an XSS attack it should immediately stop serving the page. This is important because if an attack attempted and executed both the site and the user could be compromised in the attack.
To turn this header on add the following to your .htaccess file
Header set X-XSS-Protection "1; mode=block"
Now you know how to add security headers to your website! Then make sure they are in place by scanning your site with Website Safeguard.