What are the elements of security in HTTP? Security headers and cookie properties explained

About

In HTTP, the security is done via the setting of:

Elements of HTTP security

response HTTP header that control the browser and have an effect on security:

X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
  • X-XSS-Protection header. Using the default behavior, the browser will prevent rendering of the page when a Cross-site scripting (XSS) attack is detected, 1)
X-XSS-Protection: 1; mode=block
  • X-Robots-Tag header. Stops search engine to index the pages. 2)
X-Robots-Tag: none
  • Referrer-Policy: HTTP - Referrer-Policy Header (to not leak private url)
  • Permissions-Policy: This header allows you to control which features and APIs can be used in the browser. It was previously named Feature-Policy. You can view the full list of permission options here.
Permissions-Policy: camera=(), microphone=(), geolocation=(), interest-cohort=()

The samesite and cookie scope controls where the browser sends the cookie back (in a cross origin context or not)

Tools





Discover More
HTML - Security (Secure applications)

This article is security when writing an application that shows HTML pages. HTMLHTTP security page HTML is a programming language that can download and run script. Therefore, you should be extremely...
HTTP - Content security policy (CSP)

CSP is a security response header that defines the behaviors that are trusted in your HTML page. In particular, it may restrict by defining the allowed host and origin of fetched resources. CSP can...
HTTP - Referrer-Policy Header

The referrer policy is a security response header that modifies the algorithm used to populate the Referer header when: fetching subresources, prefetching, or performing navigations. referrerpolicyHTML...
Web - Security

in a Web app Email Dmarc Cross-site Scripting ... s-rah/onionscanonionscan Burp Suite (Java based) Burp Suite Community Documentation...
What are safe and unsafe requests?

In a HTTP security context, requests are: safe if they don't have a method that changes the state (ie GET, HEAD) unsafe otherwise (ie with the method POST, PATCH, PUT) When the type of request has...



Share this page:
Follow us:
Task Runner