Security headers

Table of Contents

• 1. Access-Control-Allow-Credentials
• 2. Access-Control-Allow-Headers
• 3. Access-Control-Allow-Methods
• 4. Access-Control-Allow-Origin
• 5. Access-Control-Expose-Headers
• 6. Access-Control-Max-Age
• 7. Clear-Site-Data
• 8. Content-Security-Policy
• 9. Cross-Origin-Embedder-Policy
• 10. Cross-Origin-Opener-Policy
• 11. Cross-Origin-Resource-Policy
• 12. Permission-Policy
• 13. Referrer-Policy
• 14. Strict-Transport-Security (HSTS)
• 15. X-Frame-Options
• 16. X-Permitted-Cross-Domain-Policies

1. Access-Control-Allow-Credentials

• Impact: Allows servers to include credentials (cookies, HTTP authentication) in cross-origin requests. Misconfiguring this header can expose sensitive data to unauthorized domains【9†source】.domains.
• Remediation: Set Access-Control-Allow-Credentials to true only when necessary and ensure Access-Control-Allow-Origin is set to specific trusted domains【10†source】.domains.
• Installation:
  • Linux:
    • Apache: Add Header set Access-Control-Allow-Credentials "true" in the virtual host or .htaccess.
    • Nginx: Use add_header Access-Control-Allow-Credentials "true"; in the server block.
  • Windows:
    • IIS: Go to HTTP Response Headers and add Access-Control-Allow-Credentials with the value true.

2. Access-Control-Allow-Headers

• Impact: Specifies which HTTP headers can be used in cross-origin requests. Allowing too many headers can increase the risk of sensitive data exposure【9†source】.exposure.
• Remediation: Limit the headers to those that are necessary for your application, e.g., Access-Control-Allow-Headers: Content-Type, Authorization【10†source】.
• Installation:
  • Linux:
    • Apache: Add Header set Access-Control-Allow-Headers "Content-Type, Authorization".
    • Nginx: Use add_header Access-Control-Allow-Headers "Content-Type, Authorization";.
  • Windows:
    • IIS: Under HTTP Response Headers, add Access-Control-Allow-Headers with necessary headers.

3. Access-Control-Allow-Methods

• Impact: Specifies the HTTP methods allowed in cross-origin requests. Allowing unnecessary methods may expose the server to security risks【9†source】.risks.
• Remediation: Restrict this header to necessary methods, e.g., Access-Control-Allow-Methods: GET, POST, OPTIONS【10†source】.
• Installation:
  • Linux:
    • Apache: Add Header set Access-Control-Allow-Methods "GET, POST, OPTIONS".
    • Nginx: Use add_header Access-Control-Allow-Methods "GET, POST, OPTIONS";.
  • Windows:
    • IIS: In the HTTP Response Headers, add Access-Control-Allow-Methods.

4. Access-Control-Allow-Origin

• Impact: Specifies which origins can access the resource. Using * can expose sensitive data to any origin【9†source】.origin.
• Remediation: Set this header to specific trusted origins, e.g., Access-Control-Allow-Origin: https://trusted-site.com【10†source】.
• Installation:
  • Linux:
    • Apache: Add Header set Access-Control-Allow-Origin "https://trusted-site.com".
    • Nginx: Use add_header Access-Control-Allow-Origin "https://trusted-site.com";.
  • Windows:
    • IIS: Add Access-Control-Allow-Origin in HTTP Response Headers with the trusted origin.

5. Access-Control-Expose-Headers

• Impact: Indicates which headers can be exposed as part of the response, useful in CORS requests. Over-exposing headers can lead to information leakage【9†source】.leakage.
• Remediation: Only expose necessary headers, e.g., Access-Control-Expose-Headers: Content-Length, X-My-Custom-Header【10†source】.
• Installation:
  • Linux:
    • Apache: Add Header set Access-Control-Expose-Headers "Content-Length, X-My-Custom-Header".
    • Nginx: Use add_header Access-Control-Expose-Headers "Content-Length, X-My-Custom-Header";.
  • Windows:
    • IIS: Add Access-Control-Expose-Headers under HTTP Response Headers.

6. Access-Control-Max-Age

• Impact: Specifies how long the results of a preflight request can be cached. If set too high, it may cache outdated policies【9†source】.policies.
• Remediation: Set to a reasonable value in seconds, e.g., Access-Control-Max-Age: 3600 (1 hour)【10†source】.
• Installation:
  • Linux:
    • Apache: Add Header set Access-Control-Max-Age "3600".
    • Nginx: Use add_header Access-Control-Max-Age "3600";.
  • Windows:
    • IIS: Add Access-Control-Max-Age in HTTP Response Headers with the value 3600.

7. Clear-Site-Data

• Impact: Clears browsing data (cookies, storage, cache) associated with the website. Useful for logging out or on error pages【9†source】.pages.
• Remediation: Set Clear-Site-Data with appropriate directives, e.g., Clear-Site-Data: "cache", "cookies", "storage"【9†source】.
• Installation:
  • Linux:
    • Apache: Add Header set Clear-Site-Data "\"cache\", \"cookies\", \"storage\"".
    • Nginx: Use add_header Clear-Site-Data "\"cache\", \"cookies\", \"storage\"";.
  • Windows:
    • IIS: Add Clear-Site-Data under HTTP Response Headers.

8. Content-Security-Policy

• Impact: Prevents XSS, clickjacking, and other code injection attacks by specifying allowed content sources【9†source】.sources.
• Remediation: Define strict rules for content sources, e.g., Content-Security-Policy: default-src 'self'; script-src 'self';【9†source】.
• Installation:
  • Linux:
    • Apache: Add Header set Content-Security-Policy "default-src 'self'; script-src 'self';".
    • Nginx: Use add_header Content-Security-Policy "default-src 'self'; script-src 'self';";.
  • Windows:
    • IIS: Add Content-Security-Policy in HTTP Response Headers.

9. Cross-Origin-Embedder-Policy

• Impact: Prevents a document from loading cross-origin resources unless explicitly permitted. Protects against resource loading attacks【9†source】.attacks.
• Remediation: Set Cross-Origin-Embedder-Policy: require-corp to require all resources to have CORS enabled or be same-origin【9†source】.origin.
• Installation:
  • Linux:
    • Apache: Add Header set Cross-Origin-Embedder-Policy "require-corp".
    • Nginx: Use add_header Cross-Origin-Embedder-Policy "require-corp";.
  • Windows:
    • IIS: Add Cross-Origin-Embedder-Policy in HTTP Response Headers.

10. Cross-Origin-Opener-Policy

• Impact: Controls how a document interacts with its opener across origins, reducing risks like cross-origin attacks【9†source】.attacks.
• Remediation: Set Cross-Origin-Opener-Policy: same-origin to isolate the window from documents from other origins【9†source】.origins.
• Installation:
  • Linux:
    • Apache: Add Header set Cross-Origin-Opener-Policy "same-origin".
    • Nginx: Use add_header Cross-Origin-Opener-Policy "same-origin";.
  • Windows:
    • IIS: Add Cross-Origin-Opener-Policy in HTTP Response Headers.

11. Cross-Origin-Resource-Policy

• Impact: Prevents other domains from reading the response of the resources it is set on, protecting against unauthorized data access【9†source】.access.
• Remediation: Set Cross-Origin-Resource-Policy: same-origin for sensitive resources【9†source】.resources.
• Installation:
  • Linux:
    • Apache: Add Header set Cross-Origin-Resource-Policy "same-origin".
    • Nginx: Use add_header Cross-Origin-Resource-Policy "same-origin";.
  • Windows:
    • IIS: Add Cross-Origin-Resource-Policy in HTTP Response Headers.

12. Permission-Policy

• Impact: Controls which browser features and APIs can be used in the document or embedded iframes, reducing the risk of feature abuse【9†source】.abuse.
• Remediation: Set Permission-Policy with appropriate directives, e.g., Permission-Policy: geolocation=(), microphone=(), camera=()【9†source】.
• Installation:
  • Linux:
    • Apache: Add Header set Permission-Policy "geolocation=(), microphone=(), camera=()".
    • Nginx: Use add_header Permission-Policy "geolocation=(), microphone=(), camera=()";.
  • Windows:
    • IIS: Add Permission-Policy in HTTP Response Headers with the required settings.

13. Referrer-Policy

• Impact: Controls the amount of referrer information included in requests, enhancing user privacy and reducing potential information leakage【9†source】.leakage.
• Remediation: Use a strict policy, e.g., Referrer-Policy: strict-origin-when-cross-origin, to limit the information sent in the Referer header【9†source】.header.
• Installation:
  • Linux:
    • Apache: Add Header set Referrer-Policy "strict-origin-when-cross-origin".
    • Nginx: Use add_header Referrer-Policy "strict-origin-when-cross-origin";.
  • Windows:
    • IIS: Set Referrer-Policy in HTTP Response Headers.

14. Strict-Transport-Security (HSTS)

• Impact: Enforces the use of HTTPS for all future connections to the domain, preventing downgrade attacks and cookie hijacking【9†source】.hijacking.
• Remediation: Set Strict-Transport-Security to enforce HTTPS, e.g., Strict-Transport-Security: max-age=31536000; includeSubDomains【9†source】.
• Installation:
  • Linux:
    • Apache: Add Header set Strict-Transport-Security "max-age=31536000; includeSubDomains".
    • Nginx: Use add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";.
  • Windows:
    • IIS: Add Strict-Transport-Security in HTTP Response Headers.

15. X-Frame-Options

• Impact: Prevents clickjacking attacks by controlling whether a browser should be allowed to render a page in a frame or iframe【9†source】.iframe.
• Remediation: Set X-Frame-Options to DENY or SAMEORIGIN to control framing, e.g., X-Frame-Options: DENY【9†source】.
• Installation:
  • Linux:
    • Apache: Add Header set X-Frame-Options "DENY".
    • Nginx: Use add_header X-Frame-Options "DENY";.
  • Windows:
    • IIS: Add X-Frame-Options in HTTP Response Headers.

16. X-Permitted-Cross-Domain-Policies

• Impact: Controls which cross-domain policies the browser should allow, reducing potential attack surfaces【9†source】.surfaces.
• Remediation: Set X-Permitted-Cross-Domain-Policies to a strict policy, e.g., X-Permitted-Cross-Domain-Policies: none【9†source】.
• Installation:
  • Linux:
    • Apache: Add Header set X-Permitted-Cross-Domain-Policies "none".
    • Nginx: Use add_header X-Permitted-Cross-Domain-Policies "none";.
  • Windows:
    • IIS: Add X-Permitted-Cross-Domain-Policies in HTTP Response Headers.