Skip to content
July 4, 2026
  • Linkedin
  • Twitter
  • Facebook
  • Youtube

Daily CyberSecurity

Zero-hour alerts. Unmatched analysis.

Primary Menu
  • Home
  • CVE Watchtower
  • Cyber Criminals
  • Data Leak
  • Linux
  • Malware
  • Vulnerability
  • Submit Press Release
  • Vulnerability Report
Light/Dark Button
  • Home
  • Technique
  • Configure Security HTTP Headers to Prevent Vulnerabilities
  • Technique

Configure Security HTTP Headers to Prevent Vulnerabilities

Do Son August 17, 2017 5 minutes read

HTTP is short for HyperText Transfer Protocol, HTTP is a set of standards that allow users of the World Wide Web to exchange information found on web pages. When accessing any web page entering http:// in front of the address tells the browser to communicate over HTTP. For example, the URL for Computer Hope is https://www.computerhope.com. Today’s browsers no longer require HTTP in front of the URL since it is the default method of communication. However, it is kept in browsers because of the need to separate protocols such as FTP.

X-Frame-Options

The X-Frame-Options HTTP response header is used to give the browser a flag that allows a page to be displayed in <frame>, <iframe>, or <object>. Web sites can use this feature to ensure that the content of their site is not embedded in someone else’s website, and thus avoid the click hijacking (clickjacking) attacks. X-Frame-Options has three values, namely: DENY, SAMEORIGIN, ALLOW-FROM

DENY: that the page is not allowed to show in the frame, even in the same domain name of the nest is not allowed.

SAMEORIGIN: Indicates that the page can be displayed in the frame of the same domain name page.

ALLOW-FROM: Indicates that the page can be displayed in the frame of the specified source.

In other words, if set to DENY, not only in someone else’s website frame will not be embedded when embedded in the same domain name page will not be loaded. On the other hand, if set to SAMEORIGIN, then the page can be nested in the same domain name frame.

Configure Apache

Configuring Apache To send an X-Frame-Options header on all pages, you need to add the following line to the ‘site’ configuration:

Header always append X-Frame-Options SAMEORIGIN

Configure nginx

Configure nginx to send the X-Frame-Options header, add the following line to the configuration of ‘http’, ‘server’ or ‘location’:

add_header X-Frame-Options SAMEORIGIN;

Configure IIS

Configure IIS to send the X-Frame-Options response header and add the following configuration to the Web.config file:

<system.webServer>

... <httpProtocol>
<customHeaders>
<add name="X-Frame-Options" value="SAMEORIGIN" />
</customHeaders>
</httpProtocol>

...</system.webServer>

X-Content-Type-Options

There are various types of resources on the Internet, usually the browser will be based on the response to the Content-Type field to distinguish their type. For example: “text / html” represents html document, “image / png” is PNG picture, “text/css” is CSS style document. However, some of the resources of the Content-Type is wrong or not defined. At this point, some browsers will enable MIME-sniffing to guess the type of the resource, parse the content and execute it.

For example, even if we specify an HTML document Content-Type as “text / plain”, in IE8- this document will still be used as html to resolve. Using this feature of the browser, an attacker can even make a request that should have been parsed as an image. Through the following response head can disable the browser type guess behavior:

X-Content-Type-Options: nosniff

This value is fixed to nosniff

Access-Control-Allow-Origin

Cross-original resource sharing (CORS) allows websites to share content between them. To enable secure cross-domain access between sites, you can set up Access-Control-Allow-Origin to allow specified sites to cross-domain access to local resources.

Simple explanation

Only when the target page of the response, including the Access-Control-Allow-Origin this header, and its value in our own domain name, the browser allows us to get the data of its page for the next step. Such as:

Access-Control-Allow-Origin: https://securityonline.info

If its value is set to *, it means that anyone can use:

Access-Control-Allow-Origin: *

In the production environment we will not use *, because this is very insecure.

X-XSS-Protection

The X-XSS-Protection response header is a feature of Internet Explorer, Chrome, and Safari, and the browser stops loading the page when a cross-site scripting attack (XSS) is detected. While these protections are essentially unnecessary in modern browsers, when the site implements a powerful Content-Security-Policy to disable inline JavaScript (‘unsafe-inline’), they can still support CSP Older browsers provide protection for users.

Parameter Explanation

X-XSS-Protection: 0

Disable XSS filtering.

X-XSS-Protection: 1

Enable XSS filtering (usually the browser is the default). If a cross-site scripting attack is detected, the browser will clear the page (remove the unsafe portion).

X-XSS-Protection: 1; mode=block

Enable XSS filtering. If an attack is detected, the browser will not clear the page, but will prevent the page from loading.

X-XSS-Protection: 1; report=<reporting-uri>

Enable XSS filtering. If a cross-site scripting attack is detected, the browser will clear the page and send the violation report using the functionality of the CSP report-uri directive.

HTTP Strict Transport Security (HSTS)

HTTP Strict Transmission Security (HSTS) is a security feature that the web server uses to tell the browser to communicate with HTTPS instead of using HTTP.

HSTS causes the Web server to tell the browser not to use HTTP access, and automatically replace all HTTP access to the site with HTTPS access on the browser side.

Content Security Policy

Content Security Policy is a computer security flag that is primarily used to prevent cross-site scripting requests (XSS), click hijacking and code injection attacks. CSP prevents malicious code from being loaded by defining the location and content of the script that allows loading.

Basic usage

The CSP is defined by the Content-Security-Policy of the HTTP header (the old version is X-Content-Security-Policy). Each HTTP request returns a maximum of CSP headers (multiple duplicate CSP policies will take the union). The format of the CSP header is:

Content-Security-Policy: policy

Where the policy parameter is a string describing the CSP policy directive. A policy consists of two parts, the name (constraint policy range) and the value (the path that allows the script to execute). Multiple Policy rooms are separated by commas. The value of Policy consists of multiple source expressions (source-expression), each of which can be a hash value for hosts, ports, keywords, and Base64 encoded.

More info CSP, please read this article.

Share this article:

Facebook Post LinkedIn Telegram
Tags: Access-Control-Allow-Origin Content Security Policy Security HTTP header X-Content-Type-Options X-Frame-Options X-XSS-Protection

Search

Translation

CVE WATCHTOWER
🚨

Receive alerts for vulnerabilities being exploited in the wild.

⚡

Get notified instantly when a Proof of Concept (PoC) exploit is published.

🔍

Access critical info on vulnerabilities even when marked as "RESERVED".

🧠

Insights powered by decades of expertise and global intelligence sources.

🎯

Customize alerts with up to 10 keywords for your specific tech stack.

📊

Export the raw CVE database for SIEM integration and reporting.

Upgrade Package

🚨 Active Exploits in the Wild

  • CVE-2026-48282CVSS 10.0
    ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Limitation of a Pathname to a Restricted...
    Admin intel📅 Updated: Jul 3, 2026
  • CVE-2024-14037CVSS 9.8
    Redsea Cloud eHR contains an arbitrary file upload vulnerability that allows unauthenticated attackers to achieve remote code execution...
    Admin intel📅 Updated: Jul 3, 2026
  • CVE-2026-8451CVSS 8.8
    Insufficient input validation in NetScaler ADC and NetScaler Gateway leading to memory overread if NetScaler ADC or NetScaler Gateway is configured...
    Admin intel📅 Updated: Jul 2, 2026
  • CVE-2026-8037CVSS 9.6
    OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an un-authenticated attacker to...
    Admin intel📅 Updated: Jul 1, 2026
  • CVE-2026-45659CVSS 8.8
    Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.
    CISA KEV📅 Added to KEV: Jul 1, 2026
  • CVE-2026-48558CVSS 10.0
    SimpleHelp versions 5.5.15 and prior and 6.0 pre-release versions contain an authentication bypass vulnerability in the OIDC authentication...
    Admin intelCISA KEV📅 Added to KEV: Jun 29, 2026📅 Updated: Jun 29, 2026
  • CVE-2026-46817CVSS 9.8
    Vulnerability in the Oracle Payments product of Oracle E-Business Suite (component: File Transmission). Supported versions that are affected...
    Admin intel📅 Updated: Jun 29, 2026
  • CVE-2026-28496CVSS 9.4
    FOSSBilling is a free, open-source billing and client management system. Versions prior to 0.8.0 have a Server-Side Template...
    Admin intel📅 Updated: Jun 25, 2026
Powered by CVE Watchtower

🔴 Live Critical Threats

  • CVE-2026-58426CVSS 9.6
    Gitea Actions Artifacts V4 signed URL HMAC ambiguity allows cross-repository artifact read...
  • CVE-2026-58289CVSS 9.0
    Access of resource using incompatible type ('type confusion') in Microsoft Edge (Chromium-based)...
  • CVE-2026-22874CVSS 9.6
    Gitea versions up to and including 1.26.2 have incomplete SSRF protection in...
  • CVE-2026-20896CVSS 9.8
    Gitea Docker image versions up to and including 1.26.2 use REVERSE_PROXY_TRUSTED_PROXIES=* by...
  • CVE-2026-4321CVSS 9.8
    Improper neutralization of special elements used in an SQL command ('SQL injection')...
  • CVE-2026-14544CVSS 9.8
    A flaw was found in HPLIP (HP Linux Imaging and Printing Software)....
  • CVE-2026-9725CVSS 9.1
    The Printcart Web to Print Product Designer for WooCommerce plugin for WordPress...
  • CVE-2026-13768CVSS 10.0
    Gardyn devices expose a privileged iothubowner key. Access to this key will...
  • CVE-2026-57100CVSS 9.9
    Server-side request forgery (ssrf) in Microsoft Entra Provisioning Service (SyncFabric) allows an...
  • CVE-2026-45499CVSS 9.9
    Server-side request forgery (ssrf) in Azure OpenAI allows an authorized attacker to...
Powered by CVE WATCHTOWER

Get Zero-Hour Vulnerability Alerts

Critical CVEs, CVSS scores, and PoC updates — straight to your inbox every week.

    We respect your inbox. Unsubscribe anytime.

    Our Websites
  • Penetration Testing Tools
  • The Daily Information Technology
  • Daily CyberSecurity

    • About SecurityOnline.info
    • Advertise with us
    • Announcement
    • Contact
    • Contributor Register
    • Login
    • About SecurityOnline.info
    • Advertise on SecurityOnline.info
    • Contact Us

    When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works

    • Disclaimer
    • Privacy Policy
    • DMCA NOTICE
    • Linkedin
    • Twitter
    • Facebook
    • Youtube
    © 2017 - 2026 Daily CyberSecurity. All Rights Reserved.