Home > Website Pentesting

Hardening Headers

Hardening headers protect web applications by enforcing strict browser behaviors that reduce the risk of XSS, clickjacking, session theft, MIME sniffing, and other client-side attacks. Security headers act as a defensive layer that complements backend protections by instructing the browser how to handle content, cookies, frames, scripts, and resource loading.
Well-configured headers significantly limit an attacker’s ability to exploit client-facing vulnerabilities.

Why Hardening Headers Matter

Attackers exploit weak or missing headers to:

  • inject scripts (XSS)

  • steal cookies

  • perform clickjacking

  • execute mixed-content attacks

  • bypass HTTPS restrictions

  • manipulate MIME types

  • force browsers to load malicious iframes, scripts, or redirects

Hardening headers reduces the browser’s attack surface and stops many exploitation techniques before they execute.

Core Security Headers

Below are the essential security headers, their purpose, and secure configurations.

Content-Security-Policy (CSP)

CSP controls where scripts, images, fonts, frames, and other resources can load from.
This is the strongest defense against XSS.

Strong CSP Example

Content-Security-Policy:
default-src 'none';
script-src 'self';
style-src 'self';
img-src 'self';
connect-src 'self';
frame-ancestors 'none';
base-uri 'self';
object-src 'none';

Key Directives

  • default-src → deny everything unless allowed

  • script-src → prevent inline JS & remote scripts

  • style-src → block external styles

  • connect-src → limit AJAX/WebSocket endpoints

  • frame-ancestors → anti-clickjacking

  • object-src → block Flash/Java applets

Best Practices

  • never allow unsafe-inline

  • use nonces if inline scripting is required

  • log violations using report-uri or report-to

X-Frame-Options

Prevents clickjacking by blocking the site from being shown inside iframes.

Recommended:

X-Frame-Options: DENY

or

X-Frame-Options: SAMEORIGIN

X-Content-Type-Options

Stops browsers from MIME-type sniffing, a common cause of XSS.

Recommended:

X-Content-Type-Options: nosniff

Prevents attackers from tricking the browser into interpreting files as JavaScript.

Referrer-Policy

Controls how much referrer information is exposed to external sites.

Secure Option:

Referrer-Policy: no-referrer

or

Referrer-Policy: strict-origin-when-cross-origin

Prevents leaking sensitive URLs, tokens, and internal paths.

Strict-Transport-Security (HSTS)

Forces the browser to use HTTPS for all future requests.
Prevents SSL-stripping attacks.

Recommended:

Strict-Transport-Security: max-age=63072000; includeSubDomains; preload

  • max-age → how long HTTPS is enforced

  • includeSubDomains → applies to entire domain

  • preload → optionally submit to browser preload lists

Only enable after confirming full HTTPS support.

Permissions-Policy

Formerly Feature-Policy.
Controls access to sensitive browser features.

Example:

Permissions-Policy:
geolocation=(),
camera=(),
microphone=(),
payment=(),
fullscreen=('self')

This prevents abusive scripts from accessing unnecessary APIs.

Cross-Origin-Resource-Policy (CORP)

Blocks loading of resources across origins unless permitted.

Secure Example:

Cross-Origin-Resource-Policy: same-origin

Cross-Origin-Opener-Policy (COOP)

Prevents cross-window attacks and isolates browsing context.

Secure Example:

Cross-Origin-Opener-Policy: same-origin

Cross-Origin-Embedder-Policy (COEP)

Prevents other sites from embedding unauthorized content.

Example:

Cross-Origin-Embedder-Policy: require-corp

COOP + COEP together enable secure isolation (for WebAssembly & SharedArrayBuffers).

Cross-Origin-Resource-Sharing (CORS)

Controls which external origins can access your APIs.

Secure Example:

Access-Control-Allow-Origin: https://yourdomain.com
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: GET, POST

Avoid using:

Access-Control-Allow-Origin: *

especially with credentials.

Set-Cookie Hardening

Cookies require strong flags to resist theft or tampering.

Recommended:

Set-Cookie:
session=xyz;
HttpOnly;
Secure;
SameSite=Strict;
Path=/;

  • HttpOnly → blocks client-side JS access

  • Secure → HTTPS only

  • SameSite=Strict → CSRF protection

  • Path → limit cookie scope

Never store JWT or session tokens in localStorage.

Server Header Minimization

Avoid leaking unnecessary server data.

Remove or minimize:

  • Server: nginx/1.17.1

  • X-Powered-By: PHP/7.3.1

  • X-AspNet-Version

Use:

Server:

or disable at server level.

Practical Hardening Examples for Servers

Nginx Example

add_header X-Frame-Options "DENY";
add_header X-Content-Type-Options "nosniff";
add_header Referrer-Policy "no-referrer";
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header Permissions-Policy "geolocation=()";
add_header Content-Security-Policy "default-src 'self'; object-src 'none'; frame-ancestors 'none'";

Apache Example

Header always set X-Frame-Options "DENY"
Header always set X-Content-Type-Options "nosniff"
Header always set Referrer-Policy "no-referrer"
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Header always set Permissions-Policy "camera=()"
Header always set Content-Security-Policy "default-src 'self'"

How Attackers Abuse Missing Headers

Missing CSP

Allows XSS to execute fully.

Missing X-Frame-Options

Enables clickjacking attacks.

Missing nosniff

Browser may execute malicious uploads as JS.

Weak CORS

Attackers steal data via malicious JS on another domain.

Missing HSTS

Allows SSL stripping and MITM.

Missing Cookie Flags

XSS steals session cookies easily.

Each missing header opens a new attack path.

Deploying a Secure Header Policy

Step 1: Audit all current headers

Identify missing or unsafe configurations.

Step 2: Add headers progressively

Start with non-breaking ones like:

  • X-Frame-Options

  • X-Content-Type-Options

  • Referrer-Policy

Step 3: Test CSP cautiously

Begin restrictive, relax if needed.

Step 4: Monitor logs for violations

Use CSP reporting endpoints.

Step 5: Enforce HSTS once HTTPS is stable

Commit only when sure.

Intel Dump

  • Hardening headers enforce secure browser behavior and block common client-side attack vectors.

  • CSP is the strongest defense against XSS through resource, script, and frame control.

  • X-Frame-Options, nosniff, HSTS, and Referrer-Policy address clickjacking, MIME sniffing, SSL stripping, and data leakage.

  • Permissions-Policy restricts sensitive browser APIs.

  • Cookies require Secure, HttpOnly, SameSite flags for safe authentication.

  • CORS must whitelist only trusted origins and avoid wildcard usage.

  • Disabling server banners reduces information leakage.

  • Properly configured headers drastically reduce exploitability of client-facing vulnerabilities.

HOME LEARN COMMUNITY DASHBOARD