Skip to content

HTTP Headers

Headers

Source

Content-Security-Policy

  • Limits XSS by restricting loads

Source
CSP Bypass's
CSP Evaluator

Example:

# Default to only allow content from the current site
# Allow images from current site and imgur.com
# Don't allow objects such as Flash and Java
# Only allow scripts from the current site
# Only allow styles from the current site
# Only allow frames from the current site
# Restrict URL's in the <base> tag to current site
# Allow forms to submit only to the current site
Content-Security-Policy: default-src 'self'; img-src 'self' https://i.imgur.com; object-src 'none'; script-src 'self'; style-src 'self'; frame-ancestors 'self'; base-uri 'self'; form-action 'self';

Report Only Example:

Content-Security-Policy-Report-Only: default-src https:; report-uri /csp-violation-report-endpoint/

Strict-Transport-Security

  • This site should only be accessed by HTTPS
  • includeSubDomains also enforces this on all subdomains
  • preload adds the domain to the browsers list of HTTPS only domains forever

Example:

Strict-Transport-Security: max-age=63072000; includeSubDomains; preload

X-Content-Type-Options

This header ensures that the MIME types set by the application are respected by browsers. This can help prevent certain types of cross site scripting bypasses.

It also reduces unexpected application behavior where a browser may “guess” some kind of content incorrectly, such as when a developer labels a page “HTML” but the browser thinks it looks like JavaScript and tries to render it as JavaScript. This header will ensure the browser always respects the MIME type set by the server.

Example:

X-Content-Type-Options: nosniff

Cache Control Headers

Any page with sensitive data, such as a user page or a customer checkout page, should be set to no-cache. One reason for this is preventing someone on a shared computer from pressing the back button or going through history and being able to view personal information.

However, pages that change rarely, such as static assets (images, CSS files, and JS files), are good to cache. This could be done on a page by page basis, or using regex on the server configuration.

X-Frame-Options

This header indicates whether the site should be allowed to be displayed within an iFrame.

If a malicious site puts your website within an iFrame, the malicious site is able to perform a click jacking attack by running some JavaScript that will capture mouse clicks on the iFrame and then interact with the site on the users behalf (not necessarily clicking where they think they clicked!).

Example:

X-Frame-Options: deny
X-Frame-Options: sameorigin

Access-Control

Access-Control-Allow-Credentials

  • Allows the browser to set cookies, authorization headers or TLS client certificates to send to the server in a Cross Origin Request
  • This information is gathered in the preflight request

Example:

Access-Control-Allow-Credentials: true

Access-Control-Allow-Headers

  • Specifies which headers can be send in a Cross Origin Request
  • This information is gathered in the preflight request

Usage:

Access-Control-Allow-Headers: <header-name>[, <header-name>]*
Access-Control-Allow-Headers: *

Access-Control-Request-Headers

  • Specifies which headers the client might send the server in a Cross Origin Request
  • This information is gathered in the preflight request

Usage:

Access-Control-Allow-Headers: <header-name>[, <header-name>]*
Access-Control-Allow-Headers: *

Access-Control-Allow-Methods

  • Specifies what HTTP Verbs can be set in a Cross Origin Request
  • This information is gathered in the preflight request

Examples:

Access-Control-Allow-Methods: POST, GET, OPTIONS
Access-Control-Allow-Methods: *

Access-Control-Request-Method

  • Specifies what HTTP Verbs is sent with the Cross Origin Request
  • This information is gathered in the preflight request

Examples:

Access-Control-Request-Method: POST

Access-Control-Allow-Origin

  • Specifies what origins can make Cross Origin Requests
  • This information is gathered in the preflight request

Example:

Access-Control-Allow-Origin: *
Access-Control-Allow-Origin: <origin>
Access-Control-Allow-Origin: null

Note

"null" may allow cross origin to "data:" and "file:" scheme

Access-Control-Expose-Headers

  • Specifies what HTTP Response Headers can be viewed by javascript in a Cross Origin Request
  • This information is gathered in the preflight request

By default the headers below are accessible from a Cross Origin Response
- Cache-Control
- Content-Language
- Content-Type
- Expires
- Last-Modified
- Pragma

Example:

Access-Control-Expose-Headers: Content-Length, X-Kuma-Revision
Access-Control-Expose-Headers: *
Access-Control-Expose-Headers: *, Authorization

Note

Wildcard headers wont expose the Authorization header

Access-Control-Max-Age

  • Specifies how long the HTTP Response can be cached for from a javascript in a Cross Origin Request
  • This information is gathered in the preflight request

Example:

Access-Control-Max-Age: 600

Public-Key-Pins

  • Deprecated
  • Used to pin certificates to a website

Usage:

Public-Key-Pins: pin-sha256="base64=="; max-age=expireTime [; includeSubDomains][; report-uri="reportURI"]
Public-Key-Pins-Report-Only: pin-sha256="<pin-value>"; max-age=<expire-time>; includeSubDomains; report-uri="<uri>"

Example:

Public-Key-Pins-Report-Only: pin-sha256="cUPcTAZWKaASuYWhhneDttWpY3oBAkE3h2+soZS7sWs="; pin-sha256="M8HztCzM3elUxkcjR2S5P4hhyBNf6lHkmjAHKhpGPWE="; includeSubDomains; report-uri="https://www.example.org/hpkp-report"
Public-Key-Pins: pin-sha256="cUPcTAZWKaASuYWhhneDttWpY3oBAkE3h2+soZS7sWs=" pin-sha256="M8HztCzM3elUxkcjR2S5P4hhyBNf6lHkmjAHKhpGPWE="; max-age=5184000; includeSubDomains report-uri="https://www.example.org/hpkp-report"

Expect CT

  • Enforce flag makes it restrict HTTP instead of just reporintg

Usage:

Expect-CT: report-uri="<uri>", enforce, max-age=<age>

Example:

Expect-CT: max-age=86400, enforce, report-uri="https://foo.example/report"

Cross-Origin-Resource-Policy

  • Response Header that specifies the origin policy of the website

Usage:

Cross-Origin-Resource-Policy: same-site | same-origin | cross-origin

Example:

Cross-Origin-Resource-Policy: same-origin

Cross-Origin-Opener-Policy

  • Used to whitelist the postMessage messages that can be received by restricting the origins

Cross-Origin-Embedder-Policy

  • Used to whitelist the postMessage messages that can be sent by restricting the origins

Want-Digest

  • The Client specifies to the server that it wants to send a Digest header with the response

Usage:

Want-Digest: <digest-algorithm>

Examples:

Want-Digest: sha-256
Want-Digest: SHA-512;q=0.3, sha-256;q=1, md5;q=0

Digest

  • Hash of the method body

Usage:

Digest: <digest-algorithm>=<digest-value>
Digest: <digest-algorithm>=<digest-value>,<digest-algorithm>=<digest-value>

Examples:

Digest: sha-256=X48E9qOokqqrvdts8nOJRJN3OWDUoyWxBf7kbu9DBPE=
Digest: sha-256=X48E9qOokqqrvdts8nOJRJN3OWDUoyWxBf7kbu9DBPE=,unixsum=30637

Forwarded

  • Shows the Forward Proxy Information

Usage:

Forwarded: by=<identifier>;for=<identifier>;host=<host>;proto=<http|https>

Examples:

Forwarded: for="_mdn" 
Forwarded: For="[2001:db8:cafe::17]:4711"
Forwarded: for=192.0.2.60;proto=http;by=203.0.113.43
Forwarded: for=192.0.2.43, for=198.51.100.17

Proxy-Authenticate

  • The Server Specifies the Authentication that is required to gain access to a webpage beyond the proxy server.

Usage:

Proxy-Authenticate: [Bearer|Digest|HOBA|Mutual|Negotiate|OAuth|SCRAM-SHA-1|SCRAM-SHA-256|vapid] realm=<realm>

Examples:

Proxy-Authenticate: Basic
Proxy-Authenticate: Basic realm="Access to the internal site"

Proxy-Authorization

  • The Server Specifies the Authentication that is required to gain access to a webpage beyond the proxy server.

Usage:

Proxy-Authorization: [Bearer|Digest|HOBA|Mutual|Negotiate|OAuth|SCRAM-SHA-1|SCRAM-SHA-256|vapid] <credentials>

Examples:

Proxy-Authorization: Basic YWxhZGRpbjpvcGVuc2VzYW1l

Sec-WebSocket-Accept

TODO

Usage:

Sec-WebSocket-Accept: <hashed key>

Examples:

Sec-WebSocket-Accept: s3pPLMBiTxaQ9kYGzzhZRbK+xOo=

Timing-Allow-Origin

  • Specifies what Origins are able to view the Resource Timing API information from a Cross Origin Request

Usage:

Timing-Allow-Origin: *
Timing-Allow-Origin: <origin>[, <origin>]*

Examples:

Timing-Allow-Origin: *
Timing-Allow-Origin: https://developer.mozilla.org

WWW-Authenticate

  • Specifies the Authorization method that is needed to gain access to a resource

Usage:

WWW-Authenticate: <type> realm=<realm>

Examples:

WWW-Authenticate: Basic
WWW-Authenticate: Basic realm="Access to the staging site", charset="UTF-8"

X-DNS-Prefetch-Control

  • Response Header that is used to prefetch the DNS Query of the site.

Usage:

X-DNS-Prefetch-Control: on
X-DNS-Prefetch-Control: off

X-Forwarded-For

  • Request Header that specified the Client and the Proxies that are between the client and the server

Usage:

X-Forwarded-For: <client>, <proxy1>, <proxy2>

Examples:

X-Forwarded-For: 2001:db8:85a3:8d3:1319:8a2e:370:7348
X-Forwarded-For: 203.0.113.195
X-Forwarded-For: 203.0.113.195, 70.41.3.18, 150.172.238.178

X-Forwarded-Proto

  • Response Header that is used to prefetch the DNS Query of the site.

Usage:

X-Forwarded-Proto: <protocol>

Examples:

X-Forwarded-Proto: https

X-Forwarded-Host

  • Specifying the domain name of the forwarded server.

Usage:

X-Forwarded-Host: <host>

Examples:

X-Forwarded-Host: id42.example-cdn.com

X-XSS-Protection

  • Response Header that either sanitizes or blocks the page load if XSS detection is specified

Usage:

X-XSS-Protection: 1; mode=block