Get a demo
AppSec with Zero Noise Invicti Logo - The Largest Dynamic Application Security Solutions Provider In The World Get a demo
Web Security Blog

Missing HTTP security headers: Avoidable risk, easy fix

- -

Missing HTTP security headers can leave websites and applications exposed to a variety of attacks. If the browser fails to enforce security measures due to missing security headers, apps can be far more vulnerable to attacks like cross-site scripting and clickjacking, increasing the risk of unauthorized access, sensitive data exposure, and further exploitation by malicious actors.

Missing HTTP security headers: Avoidable risk, easy fix

What are HTTP security headers?

HTTP security headers are a crucial part of web security, providing an additional layer of protection against common threats such as cross-site scripting (XSS), clickjacking, and content injection attacks. The term covers several different HTTP headers that instruct the browser how to behave safely when connecting to servers and handling site content. Using and correctly configuring the right headers can greatly enhance overall security by heading off entire classes of vulnerabilities.

Why are HTTP security headers important?

Security headers play a key role in defending web applications from attacks that exploit browser behavior. They can apply a variety of directives to ensure safe browsing across web pages, restrict access to subdomains, and manage referer policies to minimize data leakage. Among other things, headers can help modern browsers enforce HTTP Strict Transport Security (HSTS), control cross-origin requests (CORS), mitigate cross-site scripting attacks, and eliminate MIME type sniffing vulnerabilities. When properly defined and maintained, security headers are a vital part of implementing security policies to prevent unauthorized content from loading or restrict the execution of unexpected (and potentially malicious) scripts.

What is the risk of a missing HTTP security header?

When an HTTP security header is missing, an application may be more vulnerable to specific attack vectors. Here are some common risks associated with missing (or misconfigured) security headers:

  • Missing Content Security Policy (CSP) header: Without CSP to block unexpected content sources, an application may allow attackers to inject and execute malicious scripts in users’ browsers to perform cross-site scripting (XSS).
  • Missing CSP or X-Frame-Options header: If iframe content sources are not constrained, attackers could execute clickjacking attacks by embedding your site within an iframe and tricking users into performing unintended actions.
  • Missing X-Content-Type-Options header: Permissive MIME sniffing settings can be abused to trick the browser into incorrectly interpreting content types, leading to data exposure vulnerabilities.
  • Missing Strict-Transport-Security (HSTS) header: If HTTPS is not enforced by both the browser and server, user sessions could be downgraded to unencrypted HTTP, risking man-in-the-middle attacks and data exposure.
  • Missing Referrer-Policy header: In certain situations, exposing referrer data can pose a security and privacy risk by revealing the URL of a previous referring page.

Which security headers should I use?

The examples below use a typical subset of possible HTTP security headers, but the specific headers you need will depend on your specific use case. Different applications have different security and policy requirements, and the appropriate headers will vary based on the technologies and frameworks in use. If you’re seeing a warning about missing security headers, it will usually also tell you which header is missing or misconfigured.

As a general rule, HSTS and CSP are the two minimum must-have headers—one to enforce encryption and the other to cover the majority of content-related security requirements. For a detailed discussion of security headers, see our white paper on security headers and an in-depth blog post on why HTTP headers are an easy way to harden your applications.

How do I add HTTP security headers?

While HTTP headers can also be set at the application level, setting them on the server is the usual practice. Adding HTTP security headers depends on your web server and technology stack. Below are sample configuration file entries for common web servers, demonstrating some typical security header choices and values:

Apache

Edit the .htaccess or main configuration file:

Header set X-Frame-Options "SAMEORIGIN"
Header set X-Content-Type-Options "nosniff"
Header set Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self'"
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

Nginx

Modify the server block in the nginx.conf file to improve security:

add_header X-Frame-Options "DENY";
add_header X-Content-Type-Options "nosniff";
add_header Content-Security-Policy "default-src 'self'";
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";

IIS (Windows Server)

Edit the web.config file. Note that IIS may require a restart after modifying this file to apply changes, especially for older server versions.

<configuration>
  <system.webServer>
    <httpProtocol>
      <customHeaders>
        <add name="X-Frame-Options" value="DENY" />
        <add name="X-Content-Type-Options" value="nosniff" />
        <add name="Strict-Transport-Security" value="max-age=31536000; includeSubDomains" />
        <add name="Content-Security-Policy" value="default-src 'self'" />
      </customHeaders>
    </httpProtocol>
  </system.webServer>
</configuration>

Node.js (Express)

As an example of adding security headers in the application, you can use the Helmet middleware to automatically set a range of security headers from your Express.js app. While Helmet applies default security settings, customization may be required for specific use cases to ensure compatibility with APIs, especially setting up CORS to handle cross-origin requests correctly and securely.

const helmet = require('helmet');
app.use(helmet());

How to check your security headers

You can verify whether your security headers are properly configured using the following methods:

  • DAST scanning: Use a vulnerability scanner for dynamic application security testing (DAST) to scan for missing and misconfigured HTTP security headers.
  • Browser developer tools: Open the browser’s developer console (F12 in most browsers) and check the Network tab for HTTP response headers.
  • Online security header checkers: Online tools are available that inspect site headers and provide recommendations.
  • cURL command: Simply open your terminal and run the command curl -I https://example.com to display the response headers.

Keep track of your HTTP security headers with Invicti

Implementing HTTP security headers can be an easy way to enhance web security, often requiring minimal or no modifications to the application itself. However, keeping up with evolving browser vendor support can be challenging, particularly when managing security configurations across numerous websites. Because security standards change frequently, ensuring your headers remain effective requires regular updates and monitoring.

To help maintain strong security, Invicti includes vulnerability checks that assess the presence and correctness of recommended HTTP security headers. These automated checks detect missing or improperly configured headers and provide clear guidance on how to optimize them. This ensures your web applications remain protected against emerging threats and you can quickly catch any gaps caused by new or modified deployments.

Start testing for security misconfigurations today

Frequently asked questions about missing security headers

How to fix the vulnerability “HTTP security header not detected”?

To fix this issue, determine which specific header is missing and add it to your web server configuration or application code. Use tools like curl, browser dev tools, or security scanners to verify the presence of essential headers.

How to fix a missing Content Security Policy header?

Define and implement a strict Content Security Policy (CSP) in your server settings. For example, in Apache, you could specify Header set Content-Security-Policy "default-src 'self'; script-src 'self'" to block loading scripts and other content from external sources.

Can I add security headers at the application level?

Yes, if your application is built with a framework such as Express.js, Django, or Flask, you can configure security headers within the application code using security-focused middleware.

What happens if I add too many restrictions?

Overly strict security headers may disrupt site functionality. For example, an overly restrictive X-XSS-Protection header can lead to unexpected behavior in web browsers, while a Content Security Policy (CSP) that blocks all inline scripts can prevent legitimate inline JavaScript from executing. Always test changes in a staging environment before deploying them to production. To test CSP directives before enforcing them, you can also use CSP in report-only mode.

Are security headers enough to protect my web application?

HTTP security headers are only one part of a defense-in-depth strategy (though an essential one) and must be combined with secure coding practices, vulnerability testing, and proper access controls.

Zbigniew Banach

About the Author

Zbigniew Banach - Technical Content Lead & Managing Editor

Cybersecurity writer and blog managing editor at Invicti Security. Drawing on years of experience with security, software development, content creation, journalism, and technical translation, he does his best to bring web application security and cybersecurity in general to a wider audience.

Related Articles

Most Popular Articles