Skip to main content

Browser Security Headers







Security Threats on web:

There are alot of security threats which effects the users directly like XSS,Clickjacking and Insufficient Transport of Credentials and many more but these Threats can be protected by telling the browser to do right things . And This can be easily Achieved by using Browser Security Headers.

Like The Clickjacking can be protected by using CSP header
and The Unsecure Transmission over HTTP can be fixed by using HSTS header.


How Browser behave with the Headers:


There are only two cases

  • If the Header is understandable by the browser it will take a action according to the value in the header 
  • If the the browser didn't understand the browser it will just ignore the header 

we can use http://caniuse.com to check any particular header whether its gonna work in all the browsers or not .






Non Standard Browser Headers:


There are some browser headers which was experimental and are used in wild now Those header are called the non-standard Headers like X-Content-Security-Policy Header was an Experimental Header and it been replaced by Content-Security-Policy  Now ! Please Keep in Mind that X means Non-Standard Security Headers. Example:

X-Content-Security-Policy
X-Webkit-CSP
X-Frame-Options
X-XSS-Protection

are all examples of an Non-standard Headers




Now Let's Look at the web:


Now lets see how many website actually are taking benefits from the security Headers
According to research done by some reacher i probably don't know his name


  • Only 7% of Website are forcing Users to redirecting from HTTP to HTTPS . (please Have a evil laugh Here). And From those 7% only 1% are using HSTS headers (please have an another Evil laugh).



  • Only 1576 Website among the TOP 1 million sites are using the CSP headers !


Please Note that this research was done by a Security Researcher late in 2015. I dont Know Whats going on Right now !


In the Next Tutorials we are Dive Deep in every Single Header 
Thats all for Now Thank you !

Comments

Popular posts from this blog

New Working Shopping Site SQLi Dorks

Most Important XSS Cheat Sheet

How to Install Mosh on you Linux ec2 Instance