There are many ways to secure a website against malicious attacks and users. One of not so common ways of doing is the use of security headers.
Security headers is an opt-in security enhancement that is specified by a web application through the use of a special response header. Once a supported browser receives this header that browser will prevent any communications from being sent over HTTP to the specified domain and will instead send all communications over HTTPS.
Below are the security response headers.
This header can be used to indicate whether or not a browser should be allowed to render a page in a frame or iframe. Sites can use this to avoid clickjacking attacks by ensuring that their content is not embedded into other sites.
Content Security Policy is a security mechanism which allows mitigation against Cross Site Scripting and Cross Site Request Forgery attacks.
The X-XSS-Protection security header is honoured by IE 8 and 9. This header can be used to prevent reflected Cross Site Scripting attacks.
This header instructs the browser that the website should only be served via HTTPS.
With a defined value “nosniff” prevents IE and Chrome from using MIME-analysis instead of the declared content-type header for downloaded content. This reduces the risk of drive-by download attacks as well as sites that allow user uploaded content which may in some instances be interpreted as executable or dynamic HTML.
I often use the below code inside .htaccess file. The below code prevents x-frames, no inline scripts, no cross-domain requests. The only access it allows is for google analytics script to record onsite analytics.
Header set Strict-Transport-Security "max-age=60"
Header set X-Content-Type-Options "nosniff"
Header set X-Frame-Options "SAMEORIGIN"
Header set Content-Security-Policy "default-src 'self' google-analytics.com; style-src 'self' 'unsafe-inline'"
Header set X-Content-Security-Policy "default-src 'self' google-analytics.com; style-src 'self' 'unsafe-inline'"
Header set X-WebKit-CSP "default-srcs 'self' google-analytics.com; style-src 'self' 'unsafe-inline'"
Header set X-XSS-Protection "1; mode=block"
HTTP Strict Transport Security
Content Security Policy