HTTP Security Headers

Edit Page

Use securityheaders.io online tool to score security HTTP headers of your site.

All the examples are for nginx server but values for other http servers are similar.

Header: X-Frame-Options

This header is basic click-jacking protection to disable opening a page inside an iframe.

It is quite limited as Chrome & Safari do not support ALLOW-FROM; for that we need to research CSP Level 2’s frame-ancestors.

add_header X-Frame-Options SAMEORIGIN;

More details here

Header: Content-Security-Policy

This header is very versatile but for now, I will use it only for clickjacking protection, the new way.

add_header Content-Security-Policy "frame-ancestors 'self' *.google.com";

frame-ancestors specifies the sources that can embed the current page. This directive applies to iframe, frame, embed, applet tags. Setting this directive to 'none' should be roughly equivalent to X-Frame-Options: DENY

The frame-ancestors directive obsoletes the X-Frame-Options header. If a resource has both policies, the frame-ancestors policy SHOULD be enforced and the X-Frame-Options policy SHOULD be ignored.

Research more here

Header: X-Content-Type-Options

If server says that delivered content is text/html, the browser will unquestionably believe it and render it as text/html without detecting or sniffing its real content type. Both IE and Chrome do this sinffing by default, so we must disable it.

add_header X-Content-Type-Options nosniff;

More info here.

Enable XSS protection

Enables reflective XSS protection already build into most browsers

add_header X-Xss-Protection "1; mode=block" always;

Read more here.

HTTP Public Key Pinning?

I will intentionaly avoid Public-Key-Pins header as it requires too much manual work to implement. Even without it, site will get an A score in securityheaders.io.

Problems in Google In-Page Analytics

I found no way to start In-Page Analytics (Google Analytics) without it’s Chrome Extension and I could do it only in Full View.

The first problem was X-Frame-Options header, but even if I fix this using Content-Security-Policy headers, it seems to me that Google still needs to change analytics.js which we host locally. If you host the Google tracking code on your own servers, it isn’t updated automatically and can miss important changes.

Even when I reverted back to normal analytics.js script, it didn’t work. Just accept it - extension & Full View must be used.

date 01. Jan 0001 | modified 28. May 2021
filename: HTTP Security Headers