HTTP Security Response Headers are to balance the usability and security for the website users. HTTP Security Response Headers involve Content Security Policy, HTTP Strict Transport Security, X-frame Options, XSS Protection, X-content-type Options, and referrer policy. HTTP Security Response Headers are designed to improve the privacy of the users, and the security of the web servers from hackers. The web development teams developed certain guidelines for the website security response headers such as Framework for Secure Application Design and Development, Security in Development: The IBM Secure Engineering Framework, Open Web Application Security Project. Web browsers can use the security-related response headers to avoid security vulnerabilities.
HTTP Response Headers can be used for improving the web page speed besides improving the security and privacy of the users and the web servers. The list of security-related response headers can be found below.
- HTTP Strict Transport Security
- Content Security Policy
- X-Frame Options
- XSS Protection
- Referrer Policy
The security response headers are easy to implement, and audit. In this security-related HTTP Response Headers guideline, the implementation, and audit of the security response headers will be demonstrated with their definitions, syntax, and usage.
1. HTTP Strict Transport Security
HTTP Strict Transport Security is a security-related response header to provide HTTPS connection for the web browsers by preventing the connection over HTTP. HTTPS is the extension of HTTP. Hypertext Transfer Protocol Secure is to provide a secure connection between the computers and the web users. HTTP Strict Transport Security response header forces a user to use the HTTPS connection for all of the assets of the web page. HTTP Strict Transport Security doesn’t let to use the lower versions of the Transfer Secure Layer (TLS). HTTP Strict Transport Security has three header values. Below, you can see the values for the HTTP Strict Transport Security with their header values.
- max-age: max-age for the HTTP Strict Transport Security represents the seconds that the web browser needs to remember that the website uses only HTTPS connection.
- includeSubDomains: includeSubDomains HTTP Strict Transport Security response header value determines whether the HTTP Strict Transport Security will be valid for the subdomains of the website or not.
- Preload: Every modern web browsers have a preload list for the HSTS websites. The preload response header helps a website to make itself registered to the HSTS Preload List. It means that the web browser will be able to create a faster HTTPS connection which will affect the timing of the TLS Handshake.
The HTTP Strict Transport Security response header uses the 307 Redirection HTTP Status Code for redirecting an HTTP connection to the HTTPS connection. Below, you can see an example usage of the HTTP Strict Transport Security Response Header.
Strict-Transport-Security: max-age=31536000; includeSubDomains
2. X-Frame Options
X-Frame Options is a security-related Response Header that protects websites from clickjacking. Clickjacking is a web security-related thread that steals the content of the websites within an iframe to make the web user activity away from the actual content owner website. The X-frame-options security-related response header prevents a third party to render the content of the website within the iframe for another website. There are three different response header values for X-frame-options. These are “deny”, “sameorigin”, “allow-from: <DOMAIN list>”. The functions and meanings of the x-frame options response headers can be seen below.
- Deny: Deny is the value for the X-frame-options response header. It denies all of the third party requests for rendering the website content within another webpage. It prevents same website to render its content within the iframe.
- Sameorigin: Sameorigin HTTP Response Header value is to be used for X-frame-Options response header to let only the same domain to use the content of the website within the iframe.
- Allow-from: Allow-from is a response header value of X-frame-options to prevent other websites besides the listed within the value of the Allow-form to use the content of the website within the iframe. Via allow-from, a website can determine which other websites can use their content within the iframe or not.
Below, there is an example usage of the X-frame-options security HTTP response header.
X-Frame Options: DENY
- “1”: “1” is a response header value for the X-XSS-Protection that help a website to block the web page and sanitize it if the XSS Attack is realized.
- “0”: “0” is a reponse header value for the X-XSS-Protection that blocks the web page protection against the XSS Attacks.
- “1;mode=block”: “1;mode=block” is a value for the X-XSS-Protection that blocks the web page from rendering, but it doesn’t sanitize the web page.
The sanitization of the web page means that if the XSS Attacks have been performed, the website will restore the old JS Files to clean the injected scripts. The example usage of the X-XSS-Protection can be seen below.
X-XSS-Protection: 1; mode=block
As a web security HTTP Response Header, X-XSS-Protection is a fundamental response header to be used for protecting the web users’ privacy, and the web servers’ security.
X-Content-Type-Options is a security-related response header to protect the web users and websites against the Multipurpose Internet Mail Extensions (MIME) type confusion attacks. MIME Type Confusion attacks rely on the executable and uploadable files or dynamic HTML files. Content-type and X-content-type-options response headers are related to each other. X-content-type-options can make the content-type response header ignored by the web browser and the webserver. X-content-type-options have only a single response header value that can be used. The only response header value of the x-content-type-options is “nosniff”. The meaning of the “nosniff” means that the web browser won’t be able to perform sniffing.
The example usage of the x-content-type-options can be found below.
X-content-type-options is one of the most fundamental web security response headers. To learn more about the X-content-type directives, syntax, and web browser compatibility, read the “x-content-type-options” guide.
Content-Security-Policy: default-src 'self' https://holisticseo.digital; connect-src 'none';
The “-src” suffix can be used for the “content”, “script”, “font”, “frame”, “img”, “media”, “default”, “object” to determine the which resources should be downloaded from where. To use the content-security policy, the document directives, navigation directives, reporting directives, fetch directives should be understood. These directives are to determine the limits and the working method of the CSP for the website. To learn how to create and use a Content Security Policy, read the related guideline.
6. Referrer Policy
Referrer-Policy is a security-related response header. The referrer policy response header protects the domain information during a click event for a new domain. A click event that results in landing to another domain can convey information related to the referrer domain. Referrer-Policy determines what information related to the referrer domain will be shared. Protecting the referrer information is to provide better privacy for web users. Referrer policy makes web redirection and surfing safer for web users. There are 8 different response header values that can be used with the referrer-policy security response header. These are “no-referrer”, “no-referrer-when-downgrade”, “origin”, “origin-when-cross-origin”, “same-origin”, “strict-origin”, “strict-origin-when-cross-origin”, “unsafe-url”. The explanations of the referrer-policy response header values are below.
- No-referrer will prevent any referrer information to be passed.
- No-referrer when-downgrade sends the referrer information if the HTTP Protocol stays same or improves.
- Origin sends the referrer information with only the origin name.
- Origin-when-cross-origin sends the all referrer information when the request is made up from the same or a better HTTP version from same domain to same domain. If it is a request from another domain, only the origin name will be sent.
- Same-origin sends the refferrer information only for the internal requests, but no refferrer information for the cross-origin requests.
- Strict-origin sends the refererr information if only the protocol level is same.
- Strict-origin-when-cross-origin sends the referrer information if only the protocol level is same for cross-origin requests, it sends all referrer information for the same-origin requests.
- Unsage-url sends all the referrer information for all of the refe situations.
To learn more about the referrer-policy, implementation, the related Referrer-Policy response header guide can be read.
7. Permissions Policy
Permissions Policy is a security-related response header to determine which web browser features will be able to be used within the website or not. Permissions policy prevents iframes to use the same web browser features for the content that has been taken from the website via iframe HTML tag. To make the distinction between the “permissions policy” rules, the “allowed”, “not allowed”, and the “self” response header values can be used.
- Allowed means that the specified rules will be valid for the domain’s itself and all of other domains that use the content from the website via the iframe HTML tags. Allowed is a positive response header value for the permission policy response header.
- Not allowed means that the specified rules will be valid for all of the domains, but the web browser features that are specified won’t be able to used.
- Self means that the specified web browser features will be used or not used for only the domain’s itself, while the rules won’t be applied to the third-party domains.
The features that can be used via the permissions policy are listed below.
Example usage of the permissions policy can be found below.
Feature-Policy: autoplay'none'; geolocation 'none'
8. Feature Policy
Feature policy is an HTTP response header for web security. Feature policy is a similar security-related HTTP response header to the permissions policy. The main difference between the feature policy and the permissions policy response headers is that the feature policy is valid for only the website’s own content, and frame while the permissions policy can be effective for all of the websites.
Below, you can see the syntax of the feature policy security response header.
Feature-Policy: <directive> <allowlist>
Below you can see the usage of the feature policy example.
Feature-Policy: autoplay 'none'
The example above states that the web browser feature autoplay is disabled for the nested browser context and the specific window.. The nested browser context represents the iframes that take the content from another web page. To learn further read the related Feature-Policy guide.
Expect-CT is a security-related response header. Expect-CT HTTP Header is to make a website to use Certificate Transparency requirements. If a website uses a misused certificate, it will be reported to the report URI. Expect-CT HTTP Response header is only for the connections via HTTPS, not HTTP. And, since June 2021, the Expect-CT HTTP Response Header is an obsolete security-related response header because all of the response headers since May 2018 contain the SCT as default. Since all of the new security certificates have a date and time stamp, the Expect Certificate Timestamp is not a necessity anymore. The Expect-CT HTTP response header has three directives. The directives of the Expect-CT security response header are “report-uri”, “enforce” and the “max-age”.
Enforce is an optional value for Expect-CT HTTP Response Header. It is to enforce the user-agent to report the security certificate violations while making the requests to be aligned with the HTTPS.
- Report-uri is an optional response header value for the security HTTP header Expect-CT. It is to make an endpoint for the reporting of the security certificate violations.
- Max-age is to provide the period of validity of the security certificate.
- Below, you can find a working example of the Expect-CT security response header.
Expect-CT: max-age=86400, enforce, report-uri="https://report.example/"
The example above is enforcing the certificate transparency for only 24 hours, and it reports the violations to the “report.example”.
Clear-site-data is an HTTP response header related to the web security for clearing the cookies, storage, and the cache associated with the website for a users’ web browser. If a web user logs out from the website, a website can clear all of the related cookies, and caches for the related website via a log-out web page. Clear-site-data is helpful for web developers to control the cache, cookies, and storage of the website within the devices and web browsers of the users. The clear-site-data has five different directives. The directives of the Clear-site-data security response header are “cache”, “cookies”, “storage”, “executionContexts”, and “*”. The explanations and definitions of the Clear-Site-Data Security HTTP Header are below.
- The “cache” is a response header value for the clear-site-data HTTP header for removing the locally cached data.
- “Cookies” is a response header value for the clear-site-data HTTP header to remove all cookies from the users’ web browsers.
- “Storage” is a response header value for clear-site-data HTTP header to remove all DOM Storage. Different commands such as “localStorage”, or “sessionStorage” can be used to clear different types of storage.
- “ExecutionContexts” is a response header value for Clear-Site-Data HTTP Heade to reload all browsing contexts.
- “*” is a value for the Clear-Site-Data response header for removing all possible data types from the users’ web browsers and devices.
There is an example usage of the HTTP Security Response Header Clear-Site-Data for clearing the cache, cookies, storage when the user logs out.
Clear-Site-Data: "cache", "cookies", "storage", "executionContexts"
Cross-Origin-Embedder-Policy (COEP) response header is to prevent an HTML Document to load a cross-origin resource without the document permission. Cross-Origin-Embedder-Policy security response header has two directives. The directives of the Cross-Origin-Embedder-Policy are “unsafe-none”, “require-corp”. The explanations of the Security HTTP Header Cross-Origin-Embedder-Policy are below.
- Unsafe-none is a response header value for the security HTTP Header Cross-Origin-Embedder-Policy to let a document to perform cross-origin requests.
- Require-corp is a response header value for the security HTTP Header Cross-Origin-Embedder-Policy to prevent any resources that are not aligned with the crossorigin attribute or the Cross-Origin-Resource-Policy HTTP Header to be downloaded by the HTML Document.
An example of usage of the Cross-Origin-Embedder-Policy response header is below.
The example code block above demonstrates that the specific HTML Document is not able to load a cross-origin resource without the “crossorigin” attribute. To learn more about the Cross-Origin-Embedder-Policy, read the related guide.
Cross-Origin-Opener-Policy (COOP) is to prevent a document to share the browsing context. A browsing context is the context of the window of the browser or the iframe and an iframe set. A web browser can group different windows within the same browsing context. A document can make a request to the previous document’s resources if the second document is opened via the first document. Thus, using the noreferrer, and nopeener is important in the same context. The Cross-Origin-Opener-Policy has three directives. The directives of the HTTP Security Header Cross-Origin-Opener-Policy are “unsafe-origin”, “same-origin-allow-popups”, “same-origin”. The explanations of the Cross-Origin-Opener-Policy response header directives are below.
- “unsafe-none” is a HTTP Security response header Cross-Origin-Opener-Policy directive for allowing the documents to be added into the same browsing context group.
- “Same-origin-allow-popups” is a directive for the HTTP Security response header Cross-Origin-Opener-Policy header to referencing the newly opened tabs.
- “Same-origin” is a directive for the security-related HTTP Header Cross-Origin-Opener-Policy to keep only the same origin documents within the same browsing context.
Example usage of the security response header Cross-Origin-Opener-Policy is below.
Cross-Origin-Resource-Policy (CORP) is a security-related HTTP Response Header to prevent certain types of requests from third-party origins. Cross-Origin-Resource-Policy response header can be used only for images, scripts, or CSS files. The Cross-Origin-Resource-Policy response header is a fundamental part of the Cross-Origin Resource Policy (CORP). The Cross-Origin-Resource policy has three directives. The directives of the Cross-Origin-Resource-Policy Security Header are “same-site”, “same-origin”, “cross-origin”. These directives can be used to make a certain type of resource to be used within the same website, same origin, or the cross-origins.
What is the main relation between the security response headers and a web browser?
The main relation between the security response headers and a web browser is that the web browser will receive the response headers from the web server of the website that the request has been made to. In this context, a web browser is used to take and process the response headers. The security response headers are to protect the web browser users. If the web browsers are not secure, the web users can be exploited via cybersecurity issues. Secondly, the web security response headers are connected to the web browsers in terms of checking and auditing the security-related response headers.
If a user checks the response headers from the web browser, it can be useful to understand the stance of a website in terms of security. If a web developer audits the response headers related to the security, the programmer can improve the website security further.
What is the main relation between the security response headers and a web server?
The relationship between web servers and web security-related HTTP Headers is that web servers send HTTP Headers related to security to web browsers. Web servers can send security-related HTTP Headers with different functions and programming commands according to the software, infrastructure, and technology they use. On WordPress sites, or on a website managed with NodeJS, security-related response headers are sent by different methods. In a website, web servers must be configured to use security HTTP Headers.
What is the main relation between security response headers and a web page?
The relationship between a web page and security-related HTTP Headers is the sending of the relevant HTTP Headers to the web page. A web page consists of various parts such as JS, CSS, Image, Font files. All parts and resources of web pages use the same security-related HTTP Headers. A website can use different security HTTP Headers in different website segments. HTTP Headers are prepared specifically for the web page, not the website.
What are other response header types besides security response headers?
Apart from the security-response headers, there are response headers related to pagespeed or related to the function of a server, its name, the point to which a report will be sent, or the content character code. Response headers related to page speed are listed below.
Last Thoughts on Security Response Headers and the Holistic SEO
Security Related Response Headers are beneficial for protecting the user’s privacy, and the web server’s reliability. A brand can protect its users in the digital world by implementing the security HTTP Headers. A search engine can use the security-related response headers to see how well the ranked website is ready to protect its users against possible cybersecurity attacks such as Spectre, XSS. Holistic SEO is to improve all aspects of a website. Web security is important for SEO, thus Google provides a secure section within the Google Search Console. Google provides a tool for checking the security issues within the domains such as “Safe Browsing Site Status”. Google provides guides for checking a website’s HTTPS quality and SSL Certificate validity. Google has other technologies such as “password manager”, and the account security checks and set-ups for its own users. In this context, web security is a culture. Without security, even if a website is relevant to a topic, or a web page to a query, it won’t be able to rank properly. If a website is hacked, it means that Google search engine will demote the specific web page, or deindex it. Microsoft Bing, DuckDuckGo, and Yandex can prevent hacked websites rank further on the SERP. Google publishes documents to provide guides against hacking methods such as Japanese Keyword Hack. In this context, the web security response headers are part of secure web surfing, and a search engine can use these precautions to see the source’s quality and reliability.
The security response headers guide and tutorial will be updated in light of the new information over time.
- “HSTS MISSING FROM HTTPS SERVER” Error: How to Fix it? - May 11, 2022
- Absolute and Relative URL Differences and Definitions - May 9, 2022
- The Protocol-relative URL (Link) for SEO and Web Security - May 8, 2022