Experimenting with new HTTP Security Headers

Explaining the Headers

  • Content-Security-Policy
  • X-Frame-Options
  • X-Content-Type-Options
  • Referrer-Policy
  • Permissions-Policy
  • Strict-Transport-Security

Content-Security-Policy or Content-Security-Policy-Report-Only

Content-Security-Policy: "default-src 'self'"
Content-Security-Policy: "child-src 'self'; default-src 'self' 'unsafe-eval' 'unsafe-inline' data:; frame-ancestors 'self'; frame-src 'self'; img-src 'self' www.gstatic.com www.w3.org; script-src-attr 'unsafe-inline'; script-src-elem 'unsafe-inline'; script-src 'unsafe-eval' 'unsafe-inline'; style-src-attr 'unsafe-inline'; style-src-elem 'unsafe-inline'; style-src 'unsafe-eval' 'unsafe-inline'"

X-Frame-Options

X-Frame-Options: DENY
X-Frame-Options: SAMEORIGIN

X-Content-Type-Options

 X-Content-Type-Options: nosniff

Referrer-Policy

Referrer-Policy: origin-when-cross-origin
Referrer-Policy: strict-origin

Permissions Policy

Permissions-Policy: accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=()

Strict-Transport-Security

Strict-Transport-Security: max-age=31536000; includeSubDomains

Putting it all in to place

Header always set X-Frame-Options SAMEORIGIN
Header always set X-Content-Type-Options nosniff
Header always set Referrer-Policy no-referrer
Header always set Feature-Policy "camera 'none'"
Header always set Permissions-Policy "autoplay=(), microphone=()"
Header always set Content-Security-Policy "default-src 'self' 'unsafe-inline' *.youtube.com code.jquery.com; font-src 'self' fonts.googleapis.com fonts.gstatic.com;"Header always set Content-Security-Policy-Report-Only "default-src 'none'; form-action 'none'; frame-ancestors 'none'; report-uri https://gushi.report-uri.com/r/d/csp/wizard"

Making this work with Fastly

Conclusion

--

--

--

Gushi/Dan Mahoney is a sysadmin/network operator in Northern Washington, working for a global non-profit, as well as individually.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Open Alpha Launch & Updates

All About Oop in C++(blog #01)

What are the best and efficient ways to learn algorithms for beginners?

How Conferences Feed the Hype Cycle

Why Manual Testing Is Going To Prevail The Industry

Programming Quotes: Get Rid of Coding Boredom

Return the Win11 Start Menu to its Former Glory with ExplorerPatcher

Hardening Basics Part 1 TryHackme

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Gushi

Gushi

Gushi/Dan Mahoney is a sysadmin/network operator in Northern Washington, working for a global non-profit, as well as individually.

More from Medium

Capturing Packets in Linux at a Speed of Millions of Packets per Second without Using Third Party…

Memcache Testing and Proxying

Submitting your first patch to the Linux kernel

How to build a CDN (2/3): server and reverse proxy configuration