Use securityheaders.io online tool to score security HTTP headers of your site.
All the examples are for nginx server but values for other http servers are similar.
This header is basic click-jacking protection to disable opening a page inside an iframe.
It is quite limited as Chrome & Safari do not support ALLOW-FROM; for that we need to research CSP Level 2’s frame-ancestors.
add_header X-Frame-Options SAMEORIGIN;
More details here
This header is very versatile but for now, I will use it only for clickjacking protection, the new way.
add_header Content-Security-Policy "frame-ancestors 'self' *.google.com";
frame-ancestors specifies the sources that can embed the current page.
This directive applies to iframe, frame, embed, applet tags. Setting
this directive to
'none' should be roughly equivalent to
frame-ancestors directive obsoletes the
If a resource has both policies, the
frame-ancestors policy SHOULD be
enforced and the
X-Frame-Options policy SHOULD be ignored.
Research more here
If server says that delivered content is text/html, the browser will unquestionably believe it and render it as text/html without detecting or sniffing its real content type. Both IE and Chrome do this sinffing by default, so we must disable it.
add_header X-Content-Type-Options nosniff;
More info here.
Enable XSS protection
Enables reflective XSS protection already build into most browsers
add_header X-Xss-Protection "1; mode=block" always;
Read more here.
HTTP Public Key Pinning?
I will intentionaly avoid Public-Key-Pins header as it requires too much manual work to implement. Even without it, site will get an A score in securityheaders.io.
Problems in Google In-Page Analytics
I found no way to start In-Page Analytics (Google Analytics) without it’s Chrome Extension and I could do it only in Full View.
The first problem was
X-Frame-Options header, but even if I fix this
using Content-Security-Policy headers, it seems to me that Google
still needs to change
analytics.js which we host locally. If you host
the Google tracking code on your own servers, it isn’t updated
automatically and can miss important changes.
Even when I reverted back to normal analytics.js script, it didn’t work. Just accept it - extension & Full View must be used.