WebApp 101

Missing Security HTTP Headers We Should Call Out

The following HTTP headers should be a standard implemented practice on web servers. If performing a penetration test and server lack any of the following headers:

Quick View

  • X-Frame-Options
  • HSTS (HTTP Strict Transport Security)
  • X-XSS-Protection
  • Cache-Control
  • Content-Security-Policy

Detailed View

X-Frame-Options: The X-Frame-Options HTTP header allows content publishers to prevent their own content from being used in an invisible frame by attackers.

HTTP Strict Transport Security: The HTTP Strict-Transport-Security response header informs browser that the site should only be accessed using HTTPS and that any future attempts to access it using HTTP should automatically be converted to HTTPS.

X-XSS-Protection: The HTTP X-XSS-Protection response header stops pages from loading when they detect reflected cross-site scripting (XSS) attacks.

Cache-Control: The Cache-Control HTTP header is a header used to specify browser caching policies in both client requests and server responses. Policies include how a resource is cached, where it is cached, and its maximum age before expiring.

Content-Security-Policy: The HTTP Content-Security-Policy response header allows web site administrators to control resources the user agent is allowed to load for a given page. This helps guard against cross-site scripting attacks (XSS).


What is Clickjacking | Attack Example | X-Frame-Options Pros & Cons | Imperva

Strict-Transport-Security – HTTP | MDN

X-XSS-Protection – HTTP | MDN

What is Cache-Control and How HTTP Cache Headers Work | CDN Guide | Imperva

Cache-Control – HTTP | MDN

Content-Security-Policy – HTTP | MDN

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s