1 min read

securityheaders.io

You need to add extra security to your website. Yes, you do.

I'm sure others have seen this site before, but in the event that some have not, I figured I would give it its own shoutout.

securityheaders.io is a creation from Scott Helme that allows you to analyze any website for certain security-related information that is included in the HTTP/S response header. This information can be used to secure your own site, as well as gain information about others that may be in scope for a penetration test.

The tool checks for the following:

  • HTTP
    • Content-Security-Policy
      • A header that defines approved sources of content that the browser may load. This can help prevent XSS attacks.
    • X-Content-Type-Options
      • A header is used to protect against MIME sniffing vulnerabilities.
    • X-Frame-Options
      • A header that helps to protect your visitors against clickjacking attacks.
    • X-XSS-Protection
      • A header designed to enable the cross-site scripting (XSS) filter built into modern web browsers. This is usually enabled by default, but using it will enforce it.

  • HTTPS
    • Strict-Transport-Security
      • A header will prevent any communications from being sent over HTTP to the specified domain and will instead send all communications over HTTPS.
    • Public-Key-Pins
      • A header that associates a specific cryptographic public key with a certain web server to decrease the risk of MITM attacks with forged certificates.


        Additionally it checks for the server software and what may be powering the website. For example. Apache & PHP.

I've added most of these to this site, though I still need to fine tune it a bit.

Depending on your server software, you will be editing a different file, but the value will remain the same. If you're running nginx software, you'll need to add these to nginx.conf in /etc/nginx. For apache, you'll add them to httpd.conf in /etc/httpd/httpd.conf. Each value has different options, so you'll need to do some research yourself to determine what is best for your website.