Introduction

This whitepaper explains how HTTP headers can be used in relation to web application security. It highlights the most commonly used HTTP headers and explains how each of them works in technical detail.

Headers are part of the HTTP specification, defining the metadata of the message in both the HTTP request and response. While the HTTP message body is often meant to be read by the user, metadata is processed exclusively by the web browser and has been included in HTTP protocol since version 1.0.

In request messages, the metadata can hold the following information:

  • Language of the request
  • Cookies
  • Credentials for the website
  • Cache data

In response messages, the metadata can hold the following information:

  • Size and type of the content
  • Cache storage preferences
  • Server data
  • Time and date
  • Credentials to be set by the client

Security headers are HTTP response headers that define whether a set of security precautions should be activated or deactivated on the web browser.

Check Your Security Headers

HTTP security headers are a fundamental part of website security

‘HTTP Security Response Headers’ allow a server to push additional security information to web browsers and govern how the web browsers and visitors are able to interact with your web application.