Michael Bissell
  • Twitter
  • LinkedIn
  • Contact me

Do we really need all those security headers?

January 10, 2023

Gary Longsine poked me on LinkedIn and suggested I take a look at the security headers my website returns by using the tool you can find at https://securityheaders.com/. The site gives you a letter score from A to F based on the adoption of some specific headers (quoted from the site):

Strict-Transport-SecurityHTTP Strict Transport Security is an excellent feature to support on your site and strengthens your implementation of TLS by getting the User Agent to enforce the use of HTTPS. Recommended value "Strict-Transport-Security: max-age=31536000; includeSubDomains".
Content-Security-PolicyContent Security Policy is an effective measure to protect your site from XSS attacks. By whitelisting sources of approved content, you can prevent the browser from loading malicious assets.
X-Frame-OptionsX-Frame-Options tells the browser whether you want to allow your site to be framed or not. By preventing a browser from framing your site you can defend against attacks like clickjacking. Recommended value "X-Frame-Options: SAMEORIGIN".
X-Content-Type-OptionsX-Content-Type-Options stops a browser from trying to MIME-sniff the content type and forces it to stick with the declared content-type. The only valid value for this header is "X-Content-Type-Options: nosniff".
Referrer-PolicyReferrer Policy is a new header that allows a site to control how much information the browser includes with navigations away from a document and should be set by all sites.
Permissions-PolicyPermissions Policy is a new header that allows a site to control which features and APIs can be used in the browser.

I admit, I got an F. 

I did bring my API up to an A immediately, and I brought my website up to a C, and this is why I'm not entirely concerned about the score.

First, when we set headers in a web server like Apache, nginx or a node express server, these are pretty much just informative. For my personal website, I'm currently using Apache on the frontend which proxies to my node web application, which, in turn, makes data requests to my public API.  The headers that Apache returns may, or may not, have much impact on what happens on the backend.

⟪ The Algorithm is Training Me | Quietly Hijacking ⟫


REAL RESUME FEEDBACK FROM REAL RECRUITERS
Your resume is your most valuable tool in your job search. But how do you know your resume is in top shape?

Our recruiters will review your resume line by line and give you detailed feedback on how you can improve it.

Visit mjlprojects.com to learn more!

Resume

  • My Resume
  • MJL Projects
  • NWEA Experience
  • Apigee Experience
  • Cloudentity Experience
  • Conquent Experience
  • Technical Skills
  • Presentation and Voice
  • API Standards
  • Podcasts

Articles

© Michael Bissell. All rights reserved.