X-headers, what and why?

This content originally appeared on DEV Community and was authored by Jordan Finneran

Contents

1. Intro
2. X-Content-Type-Options
3. X-XSS-Protection
4. X-Frame-Options
5. Summary

Intro

Continuing on from my previous blog about website security week, we're going to talk about a series of X- security headers.

These are set as headers on your site when it is served up, let's dive in!

X-Content-Type-Options

This header indicates that the browser should not try and sniff the type of the file served up. Sniffing of the file type would mean the browser modifying the Content-Type header that is returned from the server.

Sniffing the file content type could lead to non executable files being made executable, this could lead to bad actors injecting executable code into normal files and could lead to vulnerabilities.

It's best not to let the browser sniff the code.

Recommended setting:

X-Content-Type-Options: nosniff

You can read about it more on Modzilla.

X-XSS-Protection

This header has mostly been superseeded by the Content Security Policy, however its still useful for old browsers.
This header can be set so browsers detect XSS (Cross Site Scripting) and block loading of resources once a Cross Site Scripting attack has been detected.

Recommended setting:

X-XSS-Protection: 1; mode=block

You can read about it more on Modzilla.

X-Frame-Options

This header has mostly been superseeded by the Content Security Policy, however its still useful for old browsers.

This indicates if the site can be loaded in a <frame>, <iframe>, <embed> or <object>.
Use this header to ensure you site and content cannot be embedded in someone elses site, this is commonly referred to click jacking attack.

Recommended setting:

X-Frame-Options: DENY

You can read about it more on Modzilla.

Summary

In summary, setting a few additional headers when serving up your site can really improve the security of your site. It reduces the amount of attack surface there is for attackers and prevent common attacks on websites.

Set those headers now!

Happy Building!

This content originally appeared on DEV Community and was authored by Jordan Finneran

Print Share Comment Cite Upload Translate Updates

APA

Jordan Finneran | Sciencx (2021-05-27T19:59:42+00:00) X-headers, what and why?. Retrieved from https://www.scien.cx/2021/05/27/x-headers-what-and-why/

MLA

" » X-headers, what and why?." Jordan Finneran | Sciencx - Thursday May 27, 2021, https://www.scien.cx/2021/05/27/x-headers-what-and-why/

HARVARD

Jordan Finneran | Sciencx Thursday May 27, 2021 » X-headers, what and why?., viewed ,<https://www.scien.cx/2021/05/27/x-headers-what-and-why/>

VANCOUVER

Jordan Finneran | Sciencx - » X-headers, what and why?. [Internet]. [Accessed ]. Available from: https://www.scien.cx/2021/05/27/x-headers-what-and-why/

CHICAGO

" » X-headers, what and why?." Jordan Finneran | Sciencx - Accessed . https://www.scien.cx/2021/05/27/x-headers-what-and-why/

IEEE

" » X-headers, what and why?." Jordan Finneran | Sciencx [Online]. Available: https://www.scien.cx/2021/05/27/x-headers-what-and-why/. [Accessed: ]

rf:citation

» X-headers, what and why? | Jordan Finneran | Sciencx | https://www.scien.cx/2021/05/27/x-headers-what-and-why/ |

Please log in to upload a file.

There are no updates yet.
Click the Upload button above to add an update.

You must be logged in to translate posts. Please log in or register.