HTTP Response header for security

try to improve web security by adding response header

https://securityheaders.com/

Content-Security-Policy (CSP)

CSP is a name of HTTP response header that allow your browser can load a resources or not.

Directive

• default-src : define default policy for fetching such as Javascript, Image, CSS, Fonts, AJAX requests, Frames, HTML5 Media
• script-src :
• style-src :
• image-src :
• connect-src :
• font-src :
• object-src :
• media-src :
• navigate-to :

Strict-Transport-Security (HSTS)

HSTS is response header for tell browsers that should only be accessed using accessed https instead of using http.

Strict-Transport-Security: max-age=<expire-time>
Strict-Transport-Security: max-age=<expire-time>; includeSubDomains
Strict-Transport-Security: max-age=<expire-time>; preload

Directive

• max-age=63072000: time in second. (recommend 2 year)
• includeSubDomain: apply rule all subdomain
• preload:

X-Frame-Options

X-Frame-Options is response header that tell allow browser can render a page in <frame>, <iframe>, <embed> or <object> to avoid click-jacking

X-Frame-Options: DENY
X-Frame-Options: SAMEORIGIN

Directives

• DENY: not allow load the page in a frame when load from both other site and same site (disallow both)
• SAMEORIGIN: allow only same site

X-Content-Type-Options

X-Content-Type-Options is HTTP response header for indicate that MIME types from Context-Header should not be changed and be followed. Prevent MIME types sniffing

X-Content-Type-Options: nosniff

Referrer-Policy

Referred-Policy is HTTP response header for control how much information will send in Referer Header

Referrer-Policy: no-referrer
Referrer-Policy: no-referrer-when-downgrade
Referrer-Policy: origin
Referrer-Policy: origin-when-cross-origin
Referrer-Policy: same-origin
Referrer-Policy: strict-origin
Referrer-Policy: strict-origin-when-cross-origin
Referrer-Policy: unsafe-url

Directive

• no-referrer: No information
• no-referrer-when-downgrade: Send origin , path and query when HTTP→HTTP, HTTP→HTTPS, HTTPS→HTTPS, Don’t send when HTTPS→HTTP, HTTPS→file
• origin : Send only origin
• origin-when-cross-origin : Send origin , path , query when same origin. but send only origin when cross-origin
• same-origin : Send origin , path , query string when same origin, but not sent when cross-origin
• strict-origin : Send only origin when same security level (HTTPS→HTTPS), Not send when less secure destinations (HTTPS → HTTP)
• strict-origin-when-cross-origin (default): Send all when same origin, when cross-origin and same security level (HTTPS → HTTPS) send only origin but when cross-origin and less secure destinations (HTTPS →HTTP) not sent
• unsefe-url :

Permissions-Policy

Permissions-Policy is response header that allow and deny browser features.

Feature-Policy - HTTP | MDN

Let’s try to create middleware in express

res.setHeader("strict-transport-security", "max-age=31536000;includeSubDomains;preload")
res.setHeader("x-xss-protection", "1;mode=block")
res.setHeader("x-frame-options", "SAMEORIGIN")
res.setHeader("x-content-type-options", "nosniff")
res.setHeader("referrer-policy", "no-referrer-when-downgrade")
res.setHeader("x-permitted-cross-domain-policies", "none")
res.setHeader("expect-ct", "max-age=31536000")
res.setHeader("content-security-policy", "default-src * 'unsafe-inline' 'unsafe-eval'")
res.setHeader("feature-policy", "default")

The result after apply, Bingo!

after apply response header