Security: Security Headers

HTTP Security Headers are a way of providing an extra layer of security by closing off certain vulnerabilities through the browser.  When a browser requests a web page from a server the content is sent along with HTTP Response Headers.  The HTTP Response Header contains information including the date, size and type of file which the server is sending along with data about the server itself attached to the files being sent back to the client.

Security Headers

Some of the information in the HTTP Response Headers contains meta data like the cache control, status error codes, and content encoding which can be used manipulatively.  HTTP Security Headers tell the browser how to behave when communicating information and what information is to be communicated.

Some of these headers contain content meta data such as the content-encoding, cache-control, status error codes, etc. Along with these are also HTTP security headers that tell your browser how to behave when handling your site’s content. There are several HTTP Security Headers which can be implemented, below is a free analysis tool to find out what Security Headers have been implemented:



Here is some information on the different kinds of header…

Content Security Policy

The content-security-policy HTTP header prevents attacks such as Cross Site Scripting (XSS) and other code injection attacks by defining content sources which are approved and allowing the browser to load them specifically. Cross-Site Scripting (XSS) attacks are a type of ‘code injection’, in which malicious scripts are injected into trusted websites. Code injection is the exploitation of a computer bug that is caused by processing invalid data. Injection is used by an attacker to introduce (or “inject”) code into a vulnerable computer program and change the course of execution.



Setting a server’s X-Content-Type-Options HTTP response header to ‘nosniff’ instructs browsers to disable content or MIME sniffing which is used to guess and process the data. Although this function can be useful in some situations, it can leave the website open to MIME Confusion Attacks and Unauthorized Hotlinking hacking.

MIME Confusion Attacks happen in user generated content sites when there are opportunities to upload malicious code which is then executed by browsers which interpret the files using alternate content types.  This can lead to ‘drive by download’ attack which refers to the unintentional download of malicious code to your computer or device which leaves you open to a cyberattack such as phishing.  With this kind of attack you dont need to click on anything, press download, or open a malicious email attachment to become infected.

Unauthorized Hotlinking is where other websites direcly link to files and pictures on your website which quickly adds up to a big cost in terms of performance and is also called bandwidth theft. Your image (or files) will then appear on their site as if it was one of their own. This practice is known as “hotlinking” or “leeching” an image; in effect they are using your website server as an extra storage medium for their web pages.



The x-xss-protection header is designed to filter the cross-site scripting (XSS) built into web browsers and usually enabled by default. Supported by Internet Explorer 8+, Chrome, and Safari.  If the security header is implemented when a XSS attack is detected, the browser will prevent rendering of the page. The XSS Filter operates as an IE8 component with visibility into all requests/responses flowing through the browser.  This protects against Cross-Site Scripting (XSS) attacks; the injected script generally attempts to access privileged information or services that the second website does not intend to allow.


This security header provides clickjacking protection by not allowing iframes to load on your site. X-Frame-Options is a technology which allows an application to specify whether or not specific pages of the site can be put in an iframe. This is to act against ‘Clickjacking’ also known as a ‘UI Redress Attack’.  In this kind of attack, hackers use multiple transparent or opaque layers to fool a user into clicking on a button or link on another page when they were truly intending to click on the top level page.  The attacker is hijacking clicks and redirecting the users to other pages generally owned by another domain and/or application.



A Referrer Policy will allow a site to control the value of the referer header in links away from their pages. Requests made from a document, and for navigations away from that document are associated with a Referer header. Authors might wish to control the Referer header more directly for a number of reasons such as privacy, security and trackback



HTTP Strict Transport Security (HSTS) is a security header which helps protect websites against protocol downgrade attacks and cookie hijacking. It enables websites and servers to declare that web browsers and other applications should interact with it using only secure HTTPS connections, and never via an insecure HTTP protocol.

Protocol Downgrade Attack: A downgrade attack is a type of attack on computer systems or a communications protocol which makes it abandon a high-quality mode of operation (e.g. an encrypted connection) in favor of an older, lower-quality mode of operation typically provided for backward compatibility with older systems. Downgrade attacks are often implemented as part of a man-in-the-middle attack.

Cookie Hijacking: Also known as session hijacking refers to the exploitation of a valid computer session on a website to gain unauthorized access to information or services in a computer system. In particular, it is used to refer to the theft of a cookie used to authenticate a user to a remote server.



With Feature Policy security headers, you set “policies” for the browser to enforce on specific features used throughout your site. These policies restrict what APIs the site can access or modify the browser’s default behavior for certain features.  Examples include the changing of the default behaviour of autoplay on third party videos or restrictin a site from using sensitive APIs such as camera or microphone.


Does security matter in terms of search engine visibility ?

Yes, the security of a website directly impacts on where a given website will feature in search engine results.  The poorer the security of a website and the lower down it will rank compared to other websites with like content but better security.  The business model of search engines is predicated on their being able to return the best quality results to each given query.  For this reason search engines will privilege secure websites and banning infected websites.


In these respects, security along with code quality are regarded primary parts of Search Engine Optimisation.

  • Comodo Secure Seal