Skip to main content

Security headers

Access-Control-Allow-Credentials

  • Impact: Controls whether the browser includes credentials (like cookies) in cross-origin requests. If misconfigured, it can lead to security vulnerabilities such as unauthorized access.
  • Remediation: Set Access-Control-Allow-Credentials: true only if you need to allow credentials for cross-origin requests, and ensure Access-Control-Allow-Origin is not set to '*'.
  • Installation:   - Linux: Configure your web server (e.g., Apache, Nginx) to include the Access-Control-Allow-Credentials header in responses where needed.   - Windows: Use IIS to set the header by editing the response headers for your website in the IIS Manager.

Access-Control-Allow-Headers

  • Impact: Specifies which HTTP headers can be used during an actual cross-origin request. Misconfiguration could expose sensitive information.
  • Remediation: Set Access-Control-Allow-Headers with a list of allowed headers, e.g., Access-Control-Allow-Headers: X-Requested-With, Content-Type, Origin, Authorization.
  • Installation:   - Linux: Add the required header to your server configuration files (e.g., Apache's .htaccess or Nginx's nginx.conf).   - Windows: Use IIS to add the Access-Control-Allow-Headers in the HTTP Response Headers section.

Access-Control-Allow-Methods

  • Impact: Specifies which HTTP methods are allowed when accessing the resource in response to a preflight request. Misuse could expose endpoints to unintended actions.
  • Remediation: Set Access-Control-Allow-Methods with a list of allowed methods, e.g., Access-Control-Allow-Methods: GET, POST, OPTIONS.
  • Installation:   - Linux: Modify the server's configuration files to include the header.   - Windows: Configure this in IIS by setting the allowed methods in the response headers.

Access-Control-Allow-Origin

  • Impact: Specifies which origins are allowed to make cross-origin requests. A misconfigured policy can allow malicious websites to interact with your domain.
  • Remediation: Set Access-Control-Allow-Origin to specific trusted origins, e.g., Access-Control-Allow-Origin: https://trusted-site.com. Avoid using '*' unless absolutely necessary.
  • Installation:   - Linux: Use web server configurations to include this header (e.g., Apache, Nginx).   - Windows: Set the header in IIS under HTTP Response Headers.

Access-Control-Expose-Headers

  • Impact: Indicates which headers are safe to expose to the API of a CORS API specification. Over-exposing headers can lead to information leakage.
  • Remediation: Set Access-Control-Expose-Headers with a list of headers that are safe to expose, e.g., Access-Control-Expose-Headers: Content-Length, X-My-Custom-Header.
  • Installation:   - Linux: Configure in your web server to include this header.   - Windows: Add the Access-Control-Expose-Headers header in the IIS Manager.

Access-Control-Max-Age

  • Impact: Indicates how long the results of a preflight request can be cached. Setting it too high may cache outdated policies.
  • Remediation: Set Access-Control-Max-Age to a reasonable value in seconds, e.g., Access-Control-Max-Age: 3600 for one hour.
  • Installation:   - Linux: Modify server configuration files to include the Access-Control-Max-Age header.   - Windows: Use IIS to add the header under HTTP Response Headers.

Clear-Site-Data

  • Impact: Clears browsing data (cookies, storage, cache) associated with the requesting website. This is essential for security after logout or error scenarios.
  • Remediation: Set Clear-Site-Data header with appropriate directives, e.g., Clear-Site-Data: "cache", "cookies", "storage" on logout or error pages.
  • Installation:   - Linux: Add the Clear-Site-Data header in the web server configuration.   - Windows: Set this header in IIS via HTTP Response Headers.

Content-Security-Policy

  • Impact: Helps prevent Cross-Site Scripting (XSS), clickjacking, and other code injection attacks by controlling resources the browser is allowed to load.
  • Remediation: Set a Content-Security-Policy header with appropriate directives, e.g., Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline';.
  • Installation:   - Linux: Configure this header in your web server configuration files.   - Windows: Use IIS Manager to add this header under HTTP Response Headers.

Cross-Origin-Embedder-Policy

  • Impact: Prevents a document from loading any cross-origin resources that don't explicitly grant the document permission, improving security against resource loading attacks.
  • Remediation: Set Cross-Origin-Embedder-Policy: require-corp to require all resources to have CORS enabled or be same-origin.
  • Installation:   - Linux: Add this header in your server's configuration files.   - Windows: Set this in IIS under the HTTP Response Headers section.

Cross-Origin-Opener-Policy

  • Impact: Controls how a document interacts with its opener across origins, protecting against cross-origin attacks like Spectre.
  • Remediation: Set Cross-Origin-Opener-Policy: same-origin to isolate the window from documents from other origins.
  • Installation:   - Linux: Add the Cross-Origin-Opener-Policy header in the server's configuration.   - Windows: Configure this header in IIS under HTTP Response Headers.

Cross-Origin-Resource-Policy

  • Impact: Prevents other domains from reading the response of the resources it is set on, reducing the risk of data theft.
  • Remediation: Set Cross-Origin-Resource-Policy: same-origin for resources that should only be loaded by your origin.
  • Installation:   - Linux: Include this header in your server configurations.   - Windows: Add this header in IIS under HTTP Response Headers.

Permission-Policy

  • Impact: Controls which browser features and APIs can be used in the document or by embedded iframes, reducing the risk of feature abuse.
  • Remediation: Set Permission-Policy with appropriate directives, e.g., Permission-Policy: geolocation=(), microphone=(), camera=().
  • Installation:   - Linux: Add the Permission-Policy header in the server configuration files.   - Windows: Set this in IIS Manager under HTTP Response Headers.

Referrer-Policy

  • Impact: Controls how much referrer information should be included with requests, protecting user privacy and data leakage.
  • Remediation: Set Referrer-Policy: strict-origin-when-cross-origin to limit the information sent in the Referer header.
  • Installation:   - Linux: Modify the server configuration to include the Referrer-Policy header.   - Windows: Configure this in IIS under HTTP Response Headers.

Strict-Transport-Security

  • Impact: Enforces the use of HTTPS for all future connections to the domain, preventing downgrade attacks and cookie hijacking.
  • Remediation: Set Strict-Transport-Security: max-age=31536000; includeSubDomains to enforce HTTPS for one year, including subdomains.
  • Installation:   - Linux: Add the Strict-Transport-Security header in your server configuration.   - Windows: Use IIS to include this header under HTTP Response Headers.

X-Frame-Options

  • Impact: Prevents clickjacking attacks by disabling or restricting iframe embedding of the web page.
  • Remediation: Set X-Frame-Options: DENY to prevent any domain from framing your content, or SAMEORIGIN to allow only your own domain.
  • Installation:   - Linux: Include this header in your server's configuration files.   - Windows: Set the X-Frame-Options header in IIS under HTTP Response Headers.

X-Permitted-Cross-Domain-Policies

  • Impact: Controls which cross-domain policies the browser should allow, reducing the potential attack surface.
  • Remediation: Set X-Permitted-Cross-Domain-Policies: none to disallow all cross-domain policies, or master-only to allow only master policy files.
  • Installation:   - Linux: Configure this header in your web server.   - Windows: Use IIS to add the X-Permitted-Cross-Domain-Policies header under HTTP Response Headers.
Back to top