November 16, 2020

Hardening Web Applications using Secure HTTP Headers

As the world becomes increasingly interconnected, online services such as social media and e-commerce are contributing to an enormous accumulation of sensitive business and personal data. These developments have given rise to new risks and vulnerabilities for cybercriminals to exploit via clickjacking, cross-site request forgery (CSRF), cross-site scripting (XSS) and other threat vectors. While adding a layer of security such as HTTP secure headers does not guarantee total defence against such attacks, it is nonetheless a very effective way to help secure modern browsers.


Implementing Secure HTTP Headers to Prevent Vulnerabilities

By applying the “Secure Headers Project” framework set out by OWASP, Nexusguard’s Application Protection now provides its users the ability to secure their web applications via the following options under the Web Application Firewall feature.


Turning on the X-Frame-Options disables the iframes, and effectively protects your website against drag-and-drop style clickjacking attacks. Since iframes can be used by hackers to mirror legitimate clicks, this header when enabled mitigates that risk and prevents cybercriminals from harming your apps and pages.

Setting this header enables the cross-site scripting (XSS) filter in your browser, and prevents pages from loading whenever XSS attacks are detected.

Enabling the X-Content-Type header offers a countermeasure against MIME sniffing by preventing a browser from trying to MIME-sniff the content type and forcing it to stick with the declared content-type.

Content Security Policy
By whitelisting sources of approved content, you can prevent your browser from loading malicious assets. The Content Security Policy header is very effective in safeguarding your site by suppressing XSS and other code injection attacks.

Configuring the Referrer-Policy header allows you to control how much domain information from your site is sent to another server when a user clicks a link that leads to another page or website. This header is less about security and more about controlling referrer information.

Secure Cookie Flag
By setting the secure cookie flag, your browser will prevent the transmission of a cookie over an unencrypted channel. Browsers which support the secure flag will only send cookies with the secure flag when the request is transmitted to a HTTPS page. The flag is particularly useful in preventing cookie theft via man-in-the-middle attacks.


Nexusguard’s Web Application Firewall

Forming an integral part of Application Protection (AP), Nexusguard WAF is a cloud-based firewall that can be customized to meet the security needs of organizations. It effectively protects websites and applications against ever-changing threats by analyzing incoming requests to websites and applications, and also adopts all the best practices in the “OWASP Secure Headers Project” framework, to provide an extra layer of security that helps mitigate certain types of attacks and vulnerabilities.


To learn more about how to increase the security of web applications by implementing secure HTTP headers, please read about our Application Protection.

Get the latest cybersecurity news and expert insights direct to your inbox

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.