HTTP Security Headers: X-Frame-Options
Published: 21 February 2022 Last Updated: 03 July 2023
The X-Frame-Options header can be used to specify whether a web browser should be allowed to render the target page in a frame (such as a frame, iframe, embed, or an object tag). This can be used to prevent attacks such as ClickJacking.
Continue Reading
HTTP Security Headers: Cache-Control
Published: 21 February 2022 Last Updated: 03 July 2023
The Cache-Control HTTP server response header specifies whether the server response can be cached by the web browser and any interim devices such as web proxies. Generally, if the content of the page includes confidential information, then it should not be cached, as if confidential information is cached on user's device, and that device is a public device, or shared with other users then the information may be compromised by another user with access to the device.
Continue Reading
HTTP Security Headers: Strict-Transport-Security
Published: 06 August 2021 Last Updated: 05 July 2023
HTTP Strict Transport Security (HSTS) enforces the use of HTTPS in the web browser, ensuring that no information is sent to the domain (and optionally subdomains too), even if the user attempts to navigate to a HTTP page. This additionally mitigates the risk of cookies without the "secure" flag set, by enforcing all traffic is HTTPS only.
Continue Reading
HTTP Security Headers: Content-Security-Policy
Published: 19 October 2020 Last Updated: 03 July 2023
Content Security Policy (CSP) allows the application to restrict the location of resources to an allow-list of approved locations, including where scripts can be loaded from and when the application may be framed. This can therefore mitigate reflected and stored cross-site scripting attacks as well as issues such as Clickjacking.
Continue Reading