Impact: Allows servers to include credentials (cookies, HTTP authentication) in cross-origin requests. Misconfiguring this header can expose sensitive data to unauthorized domains.
Remediation: Set Access-Control-Allow-Credentials to true only when necessary and ensure Access-Control-Allow-Origin is set to specific trusted domains.
Installation:
Linux:
Apache: Add Header set Access-Control-Allow-Credentials "true" in the virtual host or .htaccess.
Nginx: Use add_header Access-Control-Allow-Credentials "true"; in the server block.
Windows:
IIS: Go to HTTP Response Headers and add Access-Control-Allow-Credentials with the value true.
2. Access-Control-Allow-Headers
Impact: Specifies which HTTP headers can be used in cross-origin requests. Allowing too many headers can increase the risk of sensitive data exposure.
Remediation: Limit the headers to those that are necessary for your application, e.g., Access-Control-Allow-Headers: Content-Type, Authorization.
Installation:
Linux:
Apache: Add Header set Access-Control-Allow-Headers "Content-Type, Authorization".
Nginx: Use add_header Access-Control-Allow-Headers "Content-Type, Authorization";.
Windows:
IIS: Under HTTP Response Headers, add Access-Control-Allow-Headers with necessary headers.
3. Access-Control-Allow-Methods
Impact: Specifies the HTTP methods allowed in cross-origin requests. Allowing unnecessary methods may expose the server to security risks.
Remediation: Restrict this header to necessary methods, e.g., Access-Control-Allow-Methods: GET, POST, OPTIONS.
Installation:
Linux:
Apache: Add Header set Access-Control-Allow-Methods "GET, POST, OPTIONS".
Nginx: Use add_header Access-Control-Allow-Methods "GET, POST, OPTIONS";.
Windows:
IIS: In the HTTP Response Headers, add Access-Control-Allow-Methods.
4. Access-Control-Allow-Origin
Impact: Specifies which origins can access the resource. Using * can expose sensitive data to any origin.
Remediation: Set this header to specific trusted origins, e.g., Access-Control-Allow-Origin: https://trusted-site.com.
Installation:
Linux:
Apache: Add Header set Access-Control-Allow-Origin "https://trusted-site.com".
Nginx: Use add_header Access-Control-Allow-Origin "https://trusted-site.com";.
Windows:
IIS: Add Access-Control-Allow-Origin in HTTP Response Headers with the trusted origin.
5. Access-Control-Expose-Headers
Impact: Indicates which headers can be exposed as part of the response, useful in CORS requests. Over-exposing headers can lead to information leakage.
Remediation: Only expose necessary headers, e.g., Access-Control-Expose-Headers: Content-Length, X-My-Custom-Header.
Installation:
Linux:
Apache: Add Header set Access-Control-Expose-Headers "Content-Length, X-My-Custom-Header".
Nginx: Use add_header Access-Control-Expose-Headers "Content-Length, X-My-Custom-Header";.
Windows:
IIS: Add Access-Control-Expose-Headers under HTTP Response Headers.
6. Access-Control-Max-Age
Impact: Specifies how long the results of a preflight request can be cached. If set too high, it may cache outdated policies.
Remediation: Set to a reasonable value in seconds, e.g., Access-Control-Max-Age: 3600 (1 hour).
Installation:
Linux:
Apache: Add Header set Access-Control-Max-Age "3600".
Nginx: Use add_header Access-Control-Max-Age "3600";.
Windows:
IIS: Add Access-Control-Max-Age in HTTP Response Headers with the value 3600.
7. Clear-Site-Data
Impact: Clears browsing data (cookies, storage, cache) associated with the website. Useful for logging out or on error pages.
Remediation: Set Clear-Site-Data with appropriate directives, e.g., Clear-Site-Data: "cache", "cookies", "storage".
Installation:
Linux:
Apache: Add Header set Clear-Site-Data "\"cache\", \"cookies\", \"storage\"".
Nginx: Use add_header Clear-Site-Data "\"cache\", \"cookies\", \"storage\"";.
Windows:
IIS: Add Clear-Site-Data under HTTP Response Headers.
8. Content-Security-Policy
Impact: Prevents XSS, clickjacking, and other code injection attacks by specifying allowed content sources.
Apache: Add Header set Content-Security-Policy "default-src 'self'; script-src 'self';".
Nginx: Use add_header Content-Security-Policy "default-src 'self'; script-src 'self';";.
Windows:
IIS: Add Content-Security-Policy in HTTP Response Headers.
9. Cross-Origin-Embedder-Policy
Impact: Prevents a document from loading cross-origin resources unless explicitly permitted. Protects against resource loading attacks.
Remediation: Set Cross-Origin-Embedder-Policy: require-corp to require all resources to have CORS enabled or be same-origin.
Installation:
Linux:
Apache: Add Header set Cross-Origin-Embedder-Policy "require-corp".
Nginx: Use add_header Cross-Origin-Embedder-Policy "require-corp";.
Windows:
IIS: Add Cross-Origin-Embedder-Policy in HTTP Response Headers.
10. Cross-Origin-Opener-Policy
Impact: Controls how a document interacts with its opener across origins, reducing risks like cross-origin attacks.
Remediation: Set Cross-Origin-Opener-Policy: same-origin to isolate the window from documents from other origins.
Installation:
Linux:
Apache: Add Header set Cross-Origin-Opener-Policy "same-origin".
Nginx: Use add_header Cross-Origin-Opener-Policy "same-origin";.
Windows:
IIS: Add Cross-Origin-Opener-Policy in HTTP Response Headers.
11. Cross-Origin-Resource-Policy
Impact: Prevents other domains from reading the response of the resources it is set on, protecting against unauthorized data access.
Remediation: Set Cross-Origin-Resource-Policy: same-origin for sensitive resources.
Installation:
Linux:
Apache: Add Header set Cross-Origin-Resource-Policy "same-origin".
Nginx: Use add_header Cross-Origin-Resource-Policy "same-origin";.
Windows:
IIS: Add Cross-Origin-Resource-Policy in HTTP Response Headers.
12. Permissions-Policy
Impact: Controls which browser features and APIs can be used in the document or embedded iframes, reducing the risk of feature abuse:contentReference[oaicite:0]{index=0}.
Remediation: Set Permissions-Policy with appropriate directives, e.g., Permissions-Policy: geolocation=(), microphone=(), camera=():contentReference[oaicite:1]{index=1}.
Installation:
Linux:
Apache: Add Header set Permissions-Policy "geolocation=(), microphone=(), camera=()".
Nginx: Use add_header Permissions-Policy "geolocation=(), microphone=(), camera=()";.
Windows:
IIS: Add Permissions-Policy in HTTP Response Headers with the required settings.
13. Referrer-Policy
Impact: Controls the amount of referrer information included in requests, enhancing user privacy and reducing potential information leakage.
Remediation: Use a strict policy, e.g., Referrer-Policy: strict-origin-when-cross-origin, to limit the information sent in the Referer header.
Installation:
Linux:
Apache: Add Header set Referrer-Policy "strict-origin-when-cross-origin".
Nginx: Use add_header Referrer-Policy "strict-origin-when-cross-origin";.
Windows:
IIS: Set Referrer-Policy in HTTP Response Headers.
14. Strict-Transport-Security (HSTS)
Impact: Enforces the use of HTTPS for all future connections to the domain, preventing downgrade attacks and cookie hijacking.
Remediation: Set Strict-Transport-Security to enforce HTTPS, e.g., Strict-Transport-Security: max-age=31536000; includeSubDomains.
Installation:
Linux:
Apache: Add Header set Strict-Transport-Security "max-age=31536000; includeSubDomains".
Nginx: Use add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";.
Windows:
IIS: Add Strict-Transport-Security in HTTP Response Headers.
15. X-Frame-Options
Impact: Prevents clickjacking attacks by controlling whether a browser should be allowed to render a page in a frame or iframe.
Remediation: Set X-Frame-Options to DENY or SAMEORIGIN to control framing, e.g., X-Frame-Options: DENY.
Installation:
Linux:
Apache: Add Header set X-Frame-Options "DENY".
Nginx: Use add_header X-Frame-Options "DENY";.
Windows:
IIS: Add X-Frame-Options in HTTP Response Headers.
16. X-Permitted-Cross-Domain-Policies
Impact: Controls which cross-domain policies the browser should allow, reducing potential attack surfaces.
Remediation: Set X-Permitted-Cross-Domain-Policies to a strict policy, e.g., X-Permitted-Cross-Domain-Policies: none.
Installation:
Linux:
Apache: Add Header set X-Permitted-Cross-Domain-Policies "none".
Nginx: Use add_header X-Permitted-Cross-Domain-Policies "none";.
Windows:
IIS: Add X-Permitted-Cross-Domain-Policies in HTTP Response Headers.
17. X-Content-Type-Options
Impact: Prevents the browser from interpreting files as a different MIME type than what is declared by the server. This is essential to prevent MIME type sniffing, which can lead to security vulnerabilities such as Cross-Site Scripting (XSS) attacks:contentReference[oaicite:0]{index=0}.
Remediation: Set X-Content-Type-Options to nosniff to instruct browsers not to perform MIME type sniffing. This ensures that the browser strictly follows the Content-Type header provided by the server:contentReference[oaicite:1]{index=1}.
Installation:
Linux:
Apache: Add Header set X-Content-Type-Options "nosniff" in your server configuration or .htaccess file.
Nginx: Use add_header X-Content-Type-Options "nosniff"; in the server block or location block of your configuration file.
Windows:
IIS: In the IIS Manager, go to HTTP Response Headers for the specific site and add X-Content-Type-Options with the value nosniff.
