BMT Systems

Site Security Headers

Thomas M. Brodhead


This header allows you to whitelist content, mainly scripts and CSS, that may be employed by your site. This prevents malicious scripts and CSS from being loaded on your site by an attacker who wishes to exploit a visitor to your site.

This is a complex topic, and Google has explored it exhaustively in CSP Is Dead, Long Live CSP! On the Insecurity of Whitelists and the Future of Content Security Policy, which explains why CSP 3 strict-dynamic is the only tenable solution at present. The essay on Deferring JavaScript and CSP 3 Strict Dynamic elsewhere on this site (Deferring JavaScript and CSP 3 Strict Dynamic.) explains how to implement it for site JavaScript


This header prevents clickjacking, in which your site is loaded into an invisible iframe of a different site. Users clicking on visible links on that site are actually clicking on links on your site, potentially logging into the site, etc., which exposes your site to the attacker, who has "clickjacked" the unsuspecting user of the different site.

Example: Testing for Clickjacking

Apache: Header always set X-Frame-Options SAMEORIGIN


Prevent cross-site scripting attacks, something a strong CSP will prevent but is necessary for older browsers that do not support CSP. Also, without it, your site will at best attempt to sanitize a foreign script rather than directly blocking it.

Apache: Header always set X-Xss-Protection "1; mode=block"


This prevents a browser from MIME-sniffing files and instead forces the browser to accept the declared file type.

Why? An image file might contain comment code that contains HTML with a script tag; if the browser determined that the file was HTML and interpreted it, the script—which might be malicious—would be executed. Hence, an XSS (cross-site-scripting) attack would be perpetrated.

This is most likely to occur with files uploaded to the site's server by a malicious user who disguises HTML as JPG or another file type. If MIME-sniffing is allowed, the browser would ignore the stated file type and render the HTML and any scripts it contains.

Apache: Header always set X-Content-Type-Options "nosniff"


This policy provides control over the amount of information sent from your site when a user redirects to another site by way of a link on your site. The HTTP Referer (sic) header originally contained a modicum of information for site traffic analytics, but now may contain information you'd prefer not to be sent to a different URL. This policy has many customizable options. The simplest is the default, no-referrer-when-downgrade, which blocks the HTTP Referer header when a user navigates from an HTTPS site to an HTTP site.

Apache: Header set Referrer-Policy no-referrer-when-downgrade


This header ensures that if an HTTPS connection to a site is available, it is employed when navigating to the site. Otherwise, an HTTP connection could be employed, potentially exposing the user to a man-in-the-middle attack. It works by causing the browser to record the domain the first time it is accessed with HTTPS; thereafter, any connection to the site will default to HTTPS, as the site will have been recorded as an HTTPS site only in the browser's listing of HTTPS-only sites.

Apache: Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"