Logo TwinzTech
  • Home
  • About Us
  • Services
  • Blog
  • Contact Us
  • Technology Write For Us
  • Advertise With Us
  • Terms
  • Privacy Policy
Author
SHARE :
Written By TwinzTech | July 23rd, 2018 5:58 PM | No Comments »
.htaccess File, Cybersecurity, HTTP Headers, HTTPS, Programming, Security, Technology, Web Technology, WordPress Security

How to Protect WebSites Against Attackers or Hackers by using “X-Security Headers”

Last updated on December 8th, 2019 6:20 PM By TwinzTech
  • Share

Home » Blog » HTTP Headers » How to Protect WebSites Against Attackers or Hackers by using “X-Security Headers”

Table of Contents

  • 1. What are X-Security Headers?
  • 2. Most Popular Names of the X-Security Headers
    • a) Protect Against cross-site scripting (XSS) Attacks
    • b) Protect Against Clickjacking (User Interface redress, UI redress, and UI redressing) Attacks
    • c) Protect Against MIME Type Security Risks (Content/Media Security Risks)
  • 3. Top 10 HTTP Security Headers

1. What are X-Security Headers?

X-Security Headers are the header part of a Hypertext Transfer Protocol (HTTP) request and response messages. They define the operating parameters of an HTTP transaction. It passes additional information with the request and response between the client (browser) and the web server. It is an integral part of HTTP requests and responses. X-Security Headers are also said as HTTP headers.

By using .htaccess techniques to increase your website’s security. X-Security Headers are protecting against cross-site scripting (XSS) attacks, Clickjacking (UI redress attack) attacks, Reducing MIME Type Security Risks, etc.

Protects Against Clickjacking and cross-site scripting

2. Most Popular Names of the X-Security Headers

  • X-XSS-Protection
  • X-Frame-Options
  • X-Content-Type-Options

a) Protect Against cross-site scripting (XSS) Attacks

Cross-site scripting (XSS) attack is a type of computer security vulnerability typically found in web applications or websites. It enables attackers to inject client-side scripts or malicious javascript code into web pages viewed by other users.

Cross-site scripting (XSS) vulnerability Web applications or websites run on malicious JavaScript code in a victim’s browser (client). Hackers are executing malicious JavaScript code in another user’s browser (client). See more about cross-site scripting (XSS).

By using this code in the .htaccess file, we can protect against cross-site scripting (XSS) attacks.

# Reflected Cross-Site Scripting (XSS) attacks:
<IfModule mod_headers.c>
Header set X-XSS-Protection “1; mode=block”
<FilesMatch “\.(appcache|atom|bbaw|bmp|crx|css|cur|eot|f4[abpv]|flv|geojson|gif|htc|ico|jpe?g|js|json(ld)?|m4[av]|manifest|map|mp4|oex|og[agv]|opus|otf|pdf|png|rdf|rss|safariextz|svgz?|swf|topojson|tt[cf][/cf]|txt|vcard|vcf|vtt|webapp|web[mp]|webmanifest|woff2?|xloc|xml|xpi)$”>
Header unset X-XSS-Protection
</FilesMatch>
</IfModule>

b) Protect Against Clickjacking (User Interface redress, UI redress, and UI redressing) Attacks

Clickjacking attack is a malicious technique of tricking a Web application user into clicking on something different from what the user understands they are clicking on the website, thus potentially leak the confidential information (data) and taking control of their computer while clicking on apparently offensive web pages.

Clickjacking is also named as User Interface redress attack, UI redress attack, and UI redressing. Clickjacking is possible because apparently harmless or offensive features of HTML web pages can be employed to perform unexpected actions. On a Clickjacking attacked pages, the attackers load another page over it in a transparent layer. By using this way attacks steal the data by clicking on web pages.

Few more attacks which are Similarly like as Clickjacking those are Likejacking and Cross-Frame Scripting (XFS) attacks.

By using this code in the .htaccess file, we can protect against Clickjacking (User Interface redress, UI redress, and UI redressing), likejacking, and Cross-Frame Scripting (XFS) attacks.

# Protect From Clickjacking (UI redress) attacks:
<IfModule mod_headers.c>
Header set X-Frame-Options “DENY”
<FilesMatch “\.(appcache|atom|bbaw|bmp|crx|css|cur|eot|f4[abpv]|flv|geojson|gif|htc|ico|jpe?g|js|json(ld)?|m4[av]|manifest|map|mp4|oex|og[agv]|opus|otf|pdf|png|rdf|rss|safariextz|svgz?|swf|topojson|tt[cf][/cf]|txt|vcard|vcf|vtt|webapp|web[mp]|webmanifest|woff2?|xloc|xml|xpi)$”>
Header unset X-Frame-Options
</FilesMatch>
</IfModule>

c) Protect Against MIME Type Security Risks (Content/Media Security Risks)

MIME Type attack is a malicious technique used by some web browsers (likely Internet Explorer, Opera, etc.) to focus on the content of particular assets on web applications. This technique is used to Phishing/Sniffing the main assets of the web page or website.

MIME Type sniffing attacks are a risk when you allow users to upload data on web applications. By using the .htaccess file and HTTP Headers technique, we can protect our data securely.

By using this code in the .htaccess file, we can protect against MIME Type Security Risks (Content/Media Security Risks).

# Reducing MIME Type Security Risks:
<IfModule mod_headers.c>
Header set X-Content-Type-Options “nosniff”
</IfModule>

3. Top 10 HTTP Security Headers

You Must Implement on Your Website, It is more useful HTTP Headers for better Web Application Security:

  • HTTP ETag Header
  • HTTP X-Powered-By
  • HTTP Strict Transport Security (HSTS)
  • HTTP Public Key Pinning (HPKP)
  • HTTP Content Security Policy (CSP)
  • HTTP Referrer-Policy
  • HTTP Feature-Policy
  • HTTP Expect-CT
  • HTTP Timing-Allow-Origin
  • HTTP Access-Control-Allow-Origin

The above HTTP headers are used to protect your websites against attacks, Data Sniffing, Data Breaching, Data Phishing, and Hacking.

Protect WebSites Against Hackers by using X-Security Headers

See the below examples how to use the HTTP headers in the .htaccess file to protect data or information against hackers.

# It Disables Apaches ETag Header:
<IfModule mod_headers.c>
Header unset ETag
</IfModule>

# Server-side Technology Information:
<IfModule mod_headers.c>
Header unset X-Powered-By
</IfModule>

# HTTP Strict Transport Security (HSTS):
<IfModule mod_headers.c>
Header always set Strict-Transport-Security “max-age=31536000; includeSubDomains; preload”
</IfModule>

# HTTP Public Key Pinning (HPKP)
<IfModule mod_headers.c>
Header always set Public-Key-Pins “pin-sha256=\”iPkQ5Cig6y69MBkqnbEk4aIdjiuY4exLSiDRSp5GeJg2m4=\”; pin-sha256=\”Cig6y69MBkqnbEk4aIklO2XCfCig6y69MBkqnbEk469MBkY=\”; pin-sha256=\”a9wgrX4Ta9HpZx6tSfc4$2dsavHkmCrvpApwsgbrLg5yRME=\”; max-age=2592000; includeSubDomains; preload”
</IfModule>

# HTTP Content Security Policy (CSP):
<IfModule mod_headers.c>
Header set Content-Security-Policy “base-uri ‘self'”
</IfModule>

# Send Custom HTTP Headers Referrer-Policy:
<IfModule mod_headers.c>
Header always set Referrer-Policy “strict-origin-when-cross-origin”
</IfModule>

# Send Custom HTTP Headers Feature-Policy:
<IfModule mod_headers.c>
Header always set Feature-Policy “vibrate ‘self'”
</IfModule>

# Send Custom HTTP Headers Expect-CT:
<IfModule mod_headers.c>
Header always set Expect-CT “max-age=604800; report-uri=””
</IfModule>

# Cross-origin requests:
<IfModule mod_headers.c>
Header set Access-Control-Allow-Origin “Origin”
</IfModule>

# Cross-origin resource timing:
<IfModule mod_headers.c>
Header set Timing-Allow-Origin: “*”
</IfModule>

Helpful Resources:

1. Why is Cybersecurity Important For Enterprises?

2. 5 Website Security Tips Every Employee Should Know

3. Get VPS Hosting For Your Websites For Better Results

4. Top Ten Blockchain Applications That Are Transforming Industries

5. 6 Best Wireless Security Cameras

6. What is the Difference Between Absolute and Relative URLs?

Previous Post

What is htaccess File and HTTP Headers?

Next Post  

What is Robots.txt File? What are the Different types of bots or Web Crawlers?
Author

TwinzTech

We are an Instructor's, Modern Full Stack Web Application Developers, Freelancers, Tech Bloggers, and Technical SEO Experts. We deliver a rich set of software applications for your business needs.

Related Posts

Which OS is Best For Gaming in [2019]

By TwinzTech | 1 year ago

Which OS is Best For Gaming in [2019]
What is Wifi VoIP Technology? Why are you need to Spot A Wireless Hotspot?

By TwinzTech | 1 year ago

What is Wifi VoIP Technology? Why are you need to Spot A Wireless Hotspot?
5 Best DDoS Protection Techniques

By TwinzTech | 12 months ago

5 Best DDoS Protection Techniques
  • Leave a Reply
    Click here to cancel reply.

    Subscribe to Comments via RSS

Advertisement

Search Blog

Popular News

Latest News

How To Improve Your Email Support For Customers

How To Improve Your Email Support For Customers

7 Creative Ways to Save on Operating Costs

7 Creative Ways to Save on Operating Costs

Smart TV Market | Growth, Trends, and Forecasts 2021

Smart TV Market | Growth, Trends, and Forecasts 2021

What is Cloud-Native Technology And Should You Use It?

What is Cloud-Native Technology And Should You Use It?

6 Different Careers for Those That Love Tech

6 Different Careers for Those That Love Tech

How to find free Wi-Fi near you

How to find free Wi-Fi near you

Categories

  • .htaccess File
  • 5G
  • AMP (Accelerated Mobile Pages)
  • Anime
  • Artificial Intelligence (AI)
  • Augmented Reality (AR)
  • Automotive
  • Bandwidth
  • Big Data
  • Bitcoin
  • Blockchain
  • Business
  • Chief Executive Officer (CEO)
  • Cloud Computing
  • Computer
  • Computer Network
  • Cryptocurrency
  • Cybersecurity
  • Database
  • Digital Marketing

TERMS & PRIVACY

  • About Us   |
  • Services   |
  • Contact Us   |
  • Write For Us   |
  • Advertise With Us  

DMCA.com Protection Status Copyright © 2021 | All Rights Reserved by TWINZTECH