Browser Security Headers - MatthewJacques/Wiki Wiki
HTTP Strict Transport Security (HSTS)
Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
Make the browser internally redirect any HTTP requests to HTTPS to help avoid any man in the middle attacks.
max-age (in seconds) gets set every time the browser receives the header so as long as the browser visits the site at least once a year.
preload keyword allows the site to be submitted to the hard-coded list of HSTS sites that come from browser suppliers. Submissions are at
To check if site has been included in hard-coded list yet, check
static_sts values at chrome://net-internals/#hsts
HTTP Public Key Pinning (HPKP)
Public-Key-Pins: pin-sha256=[public cert pin]; pin-sha256=[CSR pin]; pin-sha256=[Backup CSR pin]; max-age=2592000; report-uri=[uri]; includeSubdomains
Make the browser reject the connection if certificate does not match the expected certificate. Two pins are needed in case of one certificate being revoked after an attack or if it expires. We will need another certificate already trusted to update the pins that are stored in the browser.
max-age is in seconds, keep this short(ish) as there is a high probability of it going wrong.
report-uri can be used to make the browser report the violation to a different domain.
You can check what the pins are (and if they are saved by the browser) by visiting chrome://net-internals/#hsts
You can also pin the CSR which means you can create certificates from any provider and they will be trusted as long as you use the same CSR.
Content Security Policy (CSP)
Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-eval' [uris]; style-src 'self' 'unsafe-inline' [uris]; img-src 'self' [uris]; frame-src [uris]; font-src 'self' [uris]; report-uri [uri]
Declares approved sources of content that can run on the page, also specifies how script and styles may be embedded in a page and provides other defences to protect from cross-site attacks. When developing and some content refuses to render, make sure to check the console to make sure the CSP is not blocking it.
Declaring Content Sources
Tools for Working with Browser Headers
securityheaders.io - Analyse security headers of a website david-risney/CSP-Fiddler-Extension - Generate CSP from your resources using Fiddler report-uri.io - Retrieve CSP reports either from live CSP or from the report only header to help build your CSP header