Security headers quan trọng trong web application là gì?

Security headers là server response headers kiểm soát browser behavior để prevent attacks.

Quan trọng nhất: Strict-Transport-Security: max-age=31536000; includeSubDomains (HSTS — force HTTPS, prevent SSL stripping, 1 năm duration); X-Content-Type-Options: nosniff (prevent MIME type sniffing — browser không tự đoán content type khác Content-Type header, ngăn polyglot file attacks); X-Frame-Options: DENY hoặc SAMEORIGIN (prevent clickjacking — page không thể được embed trong iframe của domain khác); CSP frame-ancestors thay thế X-Frame-Options và flexible hơn.
Referrer-Policy: no-referrer-when-downgrade (default) hoặc strict-origin-when-cross-origin — control bao nhiêu URL info gửi trong Referer header; no-referrer cho sensitive pages.
Permissions-Policy (thay thế Feature-Policy): kiểm soát browser APIs — Permissions-Policy: geolocation=(), camera=(), microphone=() — disable features không dùng đến.
X-XSS-Protection: deprecated, browsers modern tự handle — không cần set.
Cross-Origin-Opener-Policy: same-origin — isolate browsing context, enable SharedArrayBuffer, required cho high-resolution timers.
Cross-Origin-Embedder-Policy: require-corp — cùng với COOP enable process isolation.
Helmet.js trong Express: app.use(helmet()) tự động set tất cả headers với sensible defaults, có thể customize per-header. securityheaders.com để test và grade headers của site.

Security headers are server response headers that control browser behavior to prevent attacks.

Most important: Strict-Transport-Security: max-age=31536000; includeSubDomains (HSTS — forces HTTPS, prevents SSL stripping, 1-year duration); X-Content-Type-Options: nosniff (prevents MIME type sniffing — the browser does not guess a content type different from the Content-Type header, blocking polyglot file attacks); X-Frame-Options: DENY or SAMEORIGIN (prevents clickjacking — the page cannot be embedded in an iframe on another domain); CSP frame-ancestors replaces X-Frame-Options and is more flexible.
Referrer-Policy: no-referrer-when-downgrade (default) or strict-origin-when-cross-origin — controls how much URL info is sent in the Referer header; use no-referrer for sensitive pages.
Permissions-Policy (replaces Feature-Policy): controls browser APIs — Permissions-Policy: geolocation=(), camera=(), microphone=() — disable unused features.
X-XSS-Protection: deprecated, modern browsers handle this natively — no need to set.
Cross-Origin-Opener-Policy: same-origin — isolates the browsing context, enables SharedArrayBuffer, required for high-resolution timers.
Cross-Origin-Embedder-Policy: require-corp — combined with COOP enables process isolation.
Helmet.js in Express: app.use(helmet()) automatically sets all headers with sensible defaults and can be customized per header.
Use securityheaders.com to test and grade your site's headers.

Xem toàn bộ Bảo Mật cùng filter theo level & chủ đề con.

Security headers quan trọng trong web application là gì?

Security headers là server response headers kiểm soát browser behavior để prevent attacks.

Quan trọng nhất: Strict-Transport-Security: max-age=31536000; includeSubDomains (HSTS — force HTTPS, prevent SSL stripping, 1 năm duration); X-Content-Type-Options: nosniff (prevent MIME type sniffing — browser không tự đoán content type khác Content-Type header, ngăn polyglot file attacks); X-Frame-Options: DENY hoặc SAMEORIGIN (prevent clickjacking — page không thể được embed trong iframe của domain khác); CSP frame-ancestors thay thế X-Frame-Options và flexible hơn.
Referrer-Policy: no-referrer-when-downgrade (default) hoặc strict-origin-when-cross-origin — control bao nhiêu URL info gửi trong Referer header; no-referrer cho sensitive pages.
Permissions-Policy (thay thế Feature-Policy): kiểm soát browser APIs — Permissions-Policy: geolocation=(), camera=(), microphone=() — disable features không dùng đến.
X-XSS-Protection: deprecated, browsers modern tự handle — không cần set.
Cross-Origin-Opener-Policy: same-origin — isolate browsing context, enable SharedArrayBuffer, required cho high-resolution timers.
Cross-Origin-Embedder-Policy: require-corp — cùng với COOP enable process isolation.
Helmet.js trong Express: app.use(helmet()) tự động set tất cả headers với sensible defaults, có thể customize per-header. securityheaders.com để test và grade headers của site.

Security headers are server response headers that control browser behavior to prevent attacks.

Most important: Strict-Transport-Security: max-age=31536000; includeSubDomains (HSTS — forces HTTPS, prevents SSL stripping, 1-year duration); X-Content-Type-Options: nosniff (prevents MIME type sniffing — the browser does not guess a content type different from the Content-Type header, blocking polyglot file attacks); X-Frame-Options: DENY or SAMEORIGIN (prevents clickjacking — the page cannot be embedded in an iframe on another domain); CSP frame-ancestors replaces X-Frame-Options and is more flexible.
Referrer-Policy: no-referrer-when-downgrade (default) or strict-origin-when-cross-origin — controls how much URL info is sent in the Referer header; use no-referrer for sensitive pages.
Permissions-Policy (replaces Feature-Policy): controls browser APIs — Permissions-Policy: geolocation=(), camera=(), microphone=() — disable unused features.
X-XSS-Protection: deprecated, modern browsers handle this natively — no need to set.
Cross-Origin-Opener-Policy: same-origin — isolates the browsing context, enables SharedArrayBuffer, required for high-resolution timers.
Cross-Origin-Embedder-Policy: require-corp — combined with COOP enables process isolation.
Helmet.js in Express: app.use(helmet()) automatically sets all headers with sensible defaults and can be customized per header.
Use securityheaders.com to test and grade your site's headers.

Xem toàn bộ Bảo Mật cùng filter theo level & chủ đề con.