Missing of Security headers will result in security misconfiguration Security misconfiguration is commonly a result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information

– owasp

Recommended Security headers can be set by adding below code in .htaccess file

content-security-policy

This response header defines a set of content restrictions for web resources which aims to mitigate web application vulnerabilities such as Cross Site Scripting (XSS).

X-XSS-Protection

This response header enables the Cross-site scripting (XSS) filter built into most recent web browsers. It’s usually enabled by default anyway, so the role of this header is to re-enable the filter for this particular website if it was disabled by the user. This header is supported in IE 8+, and in Chrome.

x-content-type-options

This response header with “nosniff” directive prevents Internet Explorer and Google Chrome from MIME-sniffing a response away from the declared content-type – the browser will not load the “stylesheet” file unless the MIME type matches specified value – which reduces exposure to drive-by download attacks.

strict-transport-security

HTTP Strict-Transport-Security (HSTS) enforces secure connections to the server and protect web application users against certain passive (eavesdropping) and active network attacks (e.g. downgrade attacks). This header automatically turns any insecure links referencing the web application into secure links and prevents user from ignoring SSL negotiation warnings.

x-permitted-cross-domain-policies

A cross-domain policy file is an XML document that grants a web client, such as Adobe Flash Player or Adobe Acrobat (though not necessarily limited to these), permission to handle data across domains. When clients request content hosted on a particular source domain and that content make requests directed towards a domain other than its own, the remote domain needs to host a cross-domain policy file that grants access to the source domain, allowing the client to continue the transaction. Normally a meta-policy is declared in the master policy file, but for those who can’t write to the root directory, they can also declare a meta-policy using the X-PermittedCross-Domain-Policies HTTP response header.

referrer-policy

The Referrer-Policy HTTP header governs which referrer information, sent in the Referer header, should be included with requests made.

feature-policy

The feature policy header allows a site to control which features and APIs can be used in the browser.

Expect-CT

The Expect-CT header is used by a server to indicate that browsers should evaluate connections to the host emitting the header for Certificate Transparency compliance

Threats and Risks

1. HTTP response headers can be used to increase the security of the application. Once set, these HTTP response headers can restrict modern
2. browsers from running into easily preventable vulnerabilities. Some of the problems with lack of security headers are as following:
3. Lack of the content-security-policy response header increases risk of content injection attacks.
4. Lack of the X-XSS-Protection response header reduces the protection against Cross-site scripting (XSS) attack if user has the filter disabled in the browser.
5. Lack of the x-content-type-options response header reduces the protection against drive-by download attacks.
6. Lack of the strict-transport-security response header could increase
7. risk of certain network attacks e.g. downgrade attacks, cookie
8. hijacking.
9. Lack of the x-permitted-cross-domain-policies response header increases risk of abuse of infrastructure resources e.g. bandwidth usage.
10. Lack of the referrer-policy response header allows servers to identify where users access a certain page.
11. Lack of the feature-policy response header increases risk of browser features and APIs accessed by malicious attackers.
12. Lack of Expect-CT response header prevents web host operators to discover misconfigurations in their Certificate Transparency deployments and prevents them from ensuring that mis-issued certificates accepted by UAs are discoverable in Certificate Transparency logs.