What all Developers need to know about: Security Headers

Posted by Martijn van Lambalgen on August 1, 2018

— This post is part of a series of monthly blog posts about all kinds of Security topics for Developers —

Adding security headers is usually a quick win when improving the security of your web application, but nowadays there’s so many to choose from. Or shouldn’t you choose at all? Why not add all of them? How does this work? We tried to make an overview of which headers improve your security, and what they actually try to achieve for you.

Let’s start at the beginning. The HTTP protocol tells you to specify the HTTP protocol version, add a bunch of headers and optionally include a body for your request/response. The response headers can be thought of as meta data to the response, or as additional instructions for the browser. E.g. it tells the browser which content type the reponse page has, what server handled the request, or how long the requested resource can be cached. Below is an example of an HTTP response. The relevant security headers are marked in red.

Read more