Security Headers
Specifies the origin of content that is allowed to be loaded. It helps against injection attacks, such as XSS (deprecated ).
Without restrictions, attackers may inject and execute malicious scripts or load resources from untrusted origins, leading to data theft or session hijacking.
Informs browsers that the web application should only be accessed using HTTPS and not HTTP.
In absence of this header, browsers may initiate connections over HTTP, allowing attackers to intercept or modify traffic via downgrade or man-in-the-middle attacks.
Indicates the resource's original media type.
Without an accurate type declaration, the browser might misinterpret a file (e.g., treat HTML as JavaScript), potentially enabling script execution or XSS.Indicates to the browsers that the MIME types advertised in the Content-Type headers should be followed and not guessed (MIME sniffing).
A browser could bypass content type restrictions and execute a script served as a different file type, leading to cross-site scripting or similar attacks.
Controls how much referrer information (sent via the Referer header) should be included with requests.
If unrestricted, URLs with sensitive query parameters may be leaked to external sites through referrer headers, exposing private data.
Sends a cookie from the server to the user agent, so the user agent can send it back to the server later. It is not a security header per se, but its security attributes are crucial.
Without secure attributes, cookies can be exposed to JavaScript (risking theft via XSS) or sent over unencrypted connections, increasing hijacking risk.
Prevents other websites from loading the page in an iframe (clickjacking attacks). XFO is only useful when there is something interactive on the response, such as links, buttons, etc. Can be replaced by CSP's frame-ancestors directive.
When not set, attackers may load the page in a hidden frame and trick users into interacting with invisible UI elements, performing unintended actions.
It clears browsing data (cookies, storage, cache) associated with the requesting website. Useful on logout functionalities.
Without clearing data, an attacker with access to the device may reuse session tokens or cached content to impersonate the previous user.
It holds directives for caching in both requests and responses.
Sensitive content may be stored in browser or proxy caches, making it accessible after logout or on shared devices.
COOP ensures that a top-level document does not share a browsing context group with cross-origin documents.
Without COOP, a cross-origin popup or iframe could access or interfere with the context of the application, leading to data leaks via side channels.
COEP prevents a document from loading any cross-origin resources that don't explicitly grant the document permission (using CORP or CORS).
Cross-origin scripts or media may be loaded and executed without validation, increasing the risk of dependency-based attacks.
CORP controls the set of origins that are empowered to include a resource.
Resources like scripts or fonts could be included by unauthorized sites, potentially exposing data or enabling misuse in cross-origin attacks.
A cross-domain policy file is an XML document that grants a web client permission to handle data across domains.
Without restriction, malicious Flash or legacy clients could access sensitive resources across domains.
Deprecated by .
If enabled without CSP, the browser’s filter may be bypassed or used to inject unintended content in older browsers.
We can check the Security headers of a public website online using an application such as the Security Header Check.
An excellent demo of a clickjacking attack & how
X-Frame-Optionscan prevent it.A nice article about MIME sniffing.
Resources
Last updated
Was this helpful?