HTTP headers to secure your app for the busy web developer

  • Set an X-Frame-Options header to prevent someone from creating an iframe wrapper around your site to clickjack your site. Your safety options are DENY, SAMEORIGIN, and ALLOW-FROM.
  • You can set X-XSS-Protection to block Reflected XSS (cross-site scripting) attacks.
  • Set the X-Content-Type-Options header to force browsers to respect the server-specified file type, preventing a Javascript injection through an HTML file.
  • Apply Strict Transport Security to refuse to connect as HTTP, enforcing HTTPS instead.
  • Prevent hackers from reading cookies by using HttpOnly to prevent Javascript accessing cookies, blocking an XSS attacker, and by using the Secure attribute to allow cookies to transfer only over HTTPS and not HTTP.

Full post here, 4 mins read