Strict HTTP headers

Test out the headers on your website by running curl -I, hopefully, you'll get output that looks like this;

HTTP/1.1 200 OK
Server: nginx
Date: Wed, 04 May 2016 01:38:48 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 1337
Last-Modified: Wed, 13 Apr 2016 14:22:09 GMT
Connection: keep-alive
ETag: "570e5611-307"
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000
Accept-Ranges: bytes

Specifically, the ones we're looking at are; X-Frame-Options, X-Xss-Protection X-Content-Type-Options, and Strict-Transport-Security.


This field tells the browser from where it can load <frame>, <iframe>, and <object> from.

The possible values are;


Disallow all <frame>, <iframe>, and <object> objects.


Disallow all <frame>, <iframe>, and <object> objects, except from current host.


Allows from specified URI.


This header field is actually kind of weird, it seems it was created for IE8, but has now spread to Chrome.

From what I can gather, it seems it was added so that servers can shut off the builtin XSS protection in IE8 via headers.


Turn off XSS protection

1; mode=block

The 1 keeps the protection on, and IE8 will actively try to sanitize the source of the page and replace one or more characters with '#'.

The mode=block modifier tells the browser to instead prevent rendering.



Basically, this tells the browser to not load a script, unless the MIME type actually specifies that it's a script. (text/javascript, application/javascript, etc)


HTTP Strict Transport Security (aka HSTS)

Long story short, it tells your browser to only use HTTPS for this site.

The fields are as follows;


How long the browser should remember to only use HTTPS.

includeSubDomains (optional)

This parameter tells the browser whether or not this applies to subdomains too.

You can add these headers to your httpd, for example in nginx.conf is as easy as;

add_header X-Frame-Options "SAMEORIGIN";
add_header X-Xss-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";
add_header Strict-Transport-Security "max-age=31536000";