HTTP headers are key-value pairs sent in HTTP requests and responses that provide metadata about the communication. From a security perspective, response headers are particularly important because they instruct browsers on how to handle content, enforce security policies, and control access. Missing or misconfigured security headers are among the most common findings in web application assessments.
How It Works
Security-relevant response headers include several critical controls. Content-Security-Policy (CSP) defines which sources of content the browser should trust, mitigating cross-site scripting and data injection attacks. X-Content-Type-Options: nosniff prevents browsers from MIME-type sniffing, stopping attacks that rely on content type confusion. X-Frame-Options or the CSP frame-ancestors directive controls whether the page can be embedded in iframes, preventing clickjacking.
Strict-Transport-Security enforces HTTPS connections. Referrer-Policy controls how much URL information is sent in the Referer header when navigating away from a page, preventing sensitive URL parameters from leaking to third parties. Permissions-Policy restricts which browser features (camera, microphone, geolocation) the page can use.
On the request side, headers carry authentication tokens, session cookies, content types, and origin information. The Host header tells the server which domain the request is for. The Origin and Referer headers are used in CSRF protection. Custom headers like X-Requested-With or X-API-Key carry application-specific authentication data.
Attackers examine response headers for information leakage. Server: Apache/2.4.41, X-Powered-By: PHP/7.4.3, and similar headers reveal exact software versions, enabling targeted attacks against known vulnerabilities. Removing or generalizing these headers is a basic hardening step.
Why It Matters
Properly configured security headers provide defense-in-depth at the browser level. They act as a safety net when application-level controls fail. A strong CSP can prevent exploitation of an XSS vulnerability even when injected script reaches the page. Missing headers, conversely, leave the browser without guidance on how to protect the user.
Security assessments systematically evaluate header configuration across all response types, including API responses, error pages, and static assets, since inconsistent header policies create gaps that attackers exploit.
Need your application tested? Get in touch.