Browser Security Headers - MatthewJacques/Wiki Wiki

HTTP Strict Transport Security (HSTS)

Strict-Transport-Security: max-age=31536000; includeSubdomains; preload

Make the browser internally redirect any HTTP requests to HTTPS to help avoid any man in the middle attacks. max-age (in seconds) gets set every time the browser receives the header so as long as the browser visits the site at least once a year. preload keyword allows the site to be submitted to the hard-coded list of HSTS sites that come from browser suppliers. Submissions are at

To check if site has been included in hard-coded list yet, check static_sts values at chrome://net-internals/#hsts

HTTP Public Key Pinning (HPKP)

Public-Key-Pins: pin-sha256=[public cert pin]; pin-sha256=[CSR pin]; pin-sha256=[Backup CSR pin]; max-age=2592000; report-uri=[uri]; includeSubdomains

Make the browser reject the connection if certificate does not match the expected certificate. Two pins are needed in case of one certificate being revoked after an attack or if it expires. We will need another certificate already trusted to update the pins that are stored in the browser. max-age is in seconds, keep this short(ish) as there is a high probability of it going wrong. report-uri can be used to make the browser report the violation to a different domain.

You can check what the pins are (and if they are saved by the browser) by visiting chrome://net-internals/#hsts

You can also pin the CSR which means you can create certificates from any provider and they will be trusted as long as you use the same CSR.

Content Security Policy (CSP)

Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-eval' [uris]; style-src 'self' 'unsafe-inline' [uris]; img-src 'self' [uris]; frame-src [uris]; font-src 'self' [uris]; report-uri [uri]

Declares approved sources of content that can run on the page, also specifies how script and styles may be embedded in a page and provides other defences to protect from cross-site attacks. When developing and some content refuses to render, make sure to check the console to make sure the CSP is not blocking it.

CSP Cheat Sheet

Declaring Content Sources

Keywords Hosts
none https://*
self http:

Tools for Working with Browser Headers - Analyse security headers of a website david-risney/CSP-Fiddler-Extension - Generate CSP from your resources using Fiddler - Retrieve CSP reports either from live CSP or from the report only header to help build your CSP header