Strict HTTP headers
Test out the headers on your website by running
curl -I lyngvaer.no, hopefully, you'll get output that looks like this;
HTTP/1.1 200 OK Server: nginx Date: Wed, 04 May 2016 01:38:48 GMT Content-Type: text/html; charset=utf-8 Content-Length: 1337 Last-Modified: Wed, 13 Apr 2016 14:22:09 GMT Connection: keep-alive ETag: "570e5611-307" X-Frame-Options: SAMEORIGIN X-Xss-Protection: 1; mode=block X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 Accept-Ranges: bytes
Specifically, the ones we're looking at are;
This field tells the browser from where it can load
The possible values are;
<object> objects, except from current host.
Allows from specified URI.
This header field is actually kind of weird, it seems it was created for IE8, but has now spread to Chrome.
From what I can gather, it seems it was added so that servers can shut off the builtin XSS protection in IE8 via headers.
Turn off XSS protection
The 1 keeps the protection on, and IE8 will actively try to sanitize the source of the page and replace one or more characters with '#'.
The mode=block modifier tells the browser to instead prevent rendering.
Basically, this tells the browser to not load a script, unless the MIME type actually specifies that it's a script. (
HTTP Strict Transport Security (aka HSTS)
Long story short, it tells your browser to only use HTTPS for this site.
The fields are as follows;
How long the browser should remember to only use HTTPS.
This parameter tells the browser whether or not this applies to subdomains too.
You can add these headers to your httpd, for example in
nginx.conf is as easy as;
add_header X-Frame-Options "SAMEORIGIN"; add_header X-Xss-Protection "1; mode=block"; add_header X-Content-Type-Options "nosniff"; add_header Strict-Transport-Security "max-age=31536000";