Experimenting with new HTTP Security Headers

Explaining the Headers

  • Content-Security-Policy
  • X-Frame-Options
  • X-Content-Type-Options
  • Referrer-Policy
  • Permissions-Policy
  • Strict-Transport-Security

Content-Security-Policy or Content-Security-Policy-Report-Only

Content-Security-Policy: "default-src 'self'"
Content-Security-Policy: "child-src 'self'; default-src 'self' 'unsafe-eval' 'unsafe-inline' data:; frame-ancestors 'self'; frame-src 'self'; img-src 'self' www.gstatic.com www.w3.org; script-src-attr 'unsafe-inline'; script-src-elem 'unsafe-inline'; script-src 'unsafe-eval' 'unsafe-inline'; style-src-attr 'unsafe-inline'; style-src-elem 'unsafe-inline'; style-src 'unsafe-eval' 'unsafe-inline'"

X-Frame-Options

X-Frame-Options: DENY
X-Frame-Options: SAMEORIGIN

X-Content-Type-Options

 X-Content-Type-Options: nosniff

Referrer-Policy

Referrer-Policy: origin-when-cross-origin
Referrer-Policy: strict-origin

Permissions Policy

Permissions-Policy: accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=()

Strict-Transport-Security

Strict-Transport-Security: max-age=31536000; includeSubDomains

Putting it all in to place

Header always set X-Frame-Options SAMEORIGIN
Header always set X-Content-Type-Options nosniff
Header always set Referrer-Policy no-referrer
Header always set Feature-Policy "camera 'none'"
Header always set Permissions-Policy "autoplay=(), microphone=()"
Header always set Content-Security-Policy "default-src 'self' 'unsafe-inline' *.youtube.com code.jquery.com; font-src 'self' fonts.googleapis.com fonts.gstatic.com;"Header always set Content-Security-Policy-Report-Only "default-src 'none'; form-action 'none'; frame-ancestors 'none'; report-uri https://gushi.report-uri.com/r/d/csp/wizard"

Making this work with Fastly

Conclusion

--

--

--

Gushi/Dan Mahoney is a sysadmin/network operator in Northern Washington, working for a global non-profit, as well as individually.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Use Cron Expressions for run-time operations

Hunting for Insecure Docker Registries

How Much Can I Make as a Software Developer?

I am a developer. Why should I care about UX design?

Implementing GDPR made (more) Simple

MySQL: Understanding EXPLAIN

MySQL: Understanding EXPLAIN

Apache Kudu series: 2. Troubleshooting for TABLET_DATA_TOMBSTONED

Build Game With Flutter

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Gushi

Gushi

Gushi/Dan Mahoney is a sysadmin/network operator in Northern Washington, working for a global non-profit, as well as individually.

More from Medium

4 Areas of GIT

Setting up Emacs As a Daemon in Ubuntu 20.04

Managed File Transfer (MFT) vs. File Transfer Protocol (FTP)

Dockerfiles vs. Cloud-native Buildpacks