Web Security

Clear Site Data

Clear Site Data

As you may guess by the name, implementing a Clear-Site-Data header is a great way to tell a client to clear browsing data such as cache, storage, cookies, or everything. This gives you more control over how you want to store the website’s data in the browser. Apache Let’s say you want to clear the …

Clear Site Data Read More »

Permissions-Policy

Permissions Policy

Earlier known as Feature-Policy, it is renamed as Permissions-Policy with enhanced features. You can check out this to understand the big changes between Feature-Policy to Permissions-Policy. With Permissions Policy, you can control browser features such as geolocation, fullscreen, speaker, USB, autoplay, speaker, microphone, payment, battery status, etc. to enable or disable within a web application. By implementing …

Permissions-Policy Read More »

Expect-CT

Uncovering search volume

A new header still in experimental status is to instruct the browser to validate the connection with web servers for certificate transparency (CT). This project by Google aims to fix some of the flaws in the SSL/TLS certificate system. The following three variables are available for the Expect-CT header. Value Description max-age In seconds, for how long …

Expect-CT Read More »

Referrer-Policy

referrer-policy http header

Looking to control the referrer-policy of your site? There are certain privacy and security benefits. However, not all the options are supported by all the browsers, so review your requirements before the implementation. Referrer-Policy supports the following syntax. Value Description no-referrer Referrer information will not be sent with the request. no-referrer-when-downgrade The default setting where …

Referrer-Policy Read More »

X-Permitted-Cross-Domain-Policies

handle the requests over a cross-domain

Using Adobe products like PDF, Flash, etc.? You can implement this header to instruct the browser on how to handle the requests over a cross-domain. By implementing this header, you restrict loading your site’s assets from other domains to avoid resource abuse. There are a few options available. Value Description none no policy is allowed …

X-Permitted-Cross-Domain-Policies Read More »

Content Security Policy

code injection attacks by implementing the Content Security Policy (CSP) header

Prevent XSS, clickjacking, code injection attacks by implementing the Content Security Policy (CSP) header in your web page HTTP response. CSP instruct browser to load allowed content to load on the website. All browsers don’t support CSP, so you got to verify before implementing it. There are three ways you can achieve CSP headers. Content-Security-Policy – Level 2/1.0 X-Content-Security-Policy – …

Content Security Policy Read More »

X-Content-Type-Options

Prevent MIME types of security risk

Prevent MIME types of security risk by adding this header to your web page’s HTTP response. Having this header instructs browser to consider file types as defined and disallow content sniffing. There is only one parameter you got to add “nosniff”. Let’s see how to advertise this header. Apache You can do this by adding the below …

X-Content-Type-Options Read More »

X-Frame-Options

Use the X-Frame-Options header to prevent Clickjacking

Use the X-Frame-Options header to prevent Clickjacking vulnerability on your website. By implementing this header, you instruct the browser not to embed your web page in frame/iframe. This has some limitations in browser support, so you got to check before implementing it. You can configure the following three parameters. Parameter Value Meaning SAMEORIGIN Frame/iframe of content is …

X-Frame-Options Read More »

HTTP Strict Transport Security

HTTP Strict Transport Security

HSTS (HTTP Strict Transport Security) header to ensure all communication from a browser is sent over HTTPS (HTTP Secure). This prevents HTTPS click-through prompts and redirects HTTP requests to HTTPS. Before implementing this header, you must ensure all your website page is accessible over HTTPS else they will be blocked. HSTS header is supported on …

HTTP Strict Transport Security Read More »

Clickjacking

Clickjacking is an attack that tricks a user into clicking

Everything to keep in mind when designing and building a mega-dropdown, common pitfalls, hover entry/exit delays, trajectory triangle technique and SVG path exit areas.

Scroll to Top