Priority Headers

Some HTTP headers provide more protection than others, however, strength in numbers applies here and each compliments the other. Imagine a building with many entrances, but only the front entrance has a padlock. Any would-be burglar would easily identify a breach point to gain access. Now imagine the same building but each entrance is padlocked, deadbolted, single and double cylindered, cam locked etc. The same applies to application security, each entrance point signifies a potential exploit in an application, and each security header and it’s directives a hardened unique bolt of protection against a possible breach.

Essential Headers

• X-Frame-Options – Anti Clickjacking
• X-Content-Type-Options – Prevents MIME sniffing
• Strict-Transport-Security – Enforces https access
• Feature Policy – Enables feature blocking resources
• Referrer-Policy – hides or displays referring sites based on directive
• X-XSS-Protection – protects against cross site scripting attacks
• Expect-CT – ensures enforcement of valid certificates
• Content-Security-Policy – whitelist resources to be loaded by the browser