mysiteishackable

// SECURITY GUIDE · HTTP HEADERS

HTTP Security Headers

// WHAT THEY ARE

HTTP security headers are directives your server sends with every response. They tell the browser how to behave: what scripts to trust, whether to allow iframes, how to handle MIME types. They cost nothing to add and block entire classes of attacks.

// WHY IT MATTERS

XSS attacks inject malicious scripts into your pages. Clickjacking embeds your site in an iframe and tricks users into clicking hidden buttons. MIME sniffing lets browsers execute files as a different type than intended. Headers stop all of these at the browser level. Before any damage is done.

// WHAT WE CHECK

[CRITICAL]
Content-Security-Policy: Defines which scripts, styles, and resources are allowed to load. A missing or weak CSP is the main XSS enabler. We flag unsafe-inline in script-src.
[HIGH]
Strict-Transport-Security: Forces browsers to use HTTPS for all future visits. Prevents SSL stripping attacks. Requires max-age ≥ 31536000 (1 year).
[HIGH]
X-Frame-Options: Prevents your site from being embedded in iframes. Stops clickjacking. Set to DENY or SAMEORIGIN.
[MEDIUM]
X-Content-Type-Options: Stops browsers from MIME-sniffing responses. Always set to nosniff.
[LOW]
Referrer-Policy: Controls how much URL information is sent in the Referer header. Recommended: strict-origin-when-cross-origin.
[LOW]
Permissions-Policy: Restricts browser features like camera, microphone, and geolocation. Reduces attack surface.

// HOW TO FIX: NEXT.JS

// next.config.ts
async headers() {
  return [{
    source: "/(.*)",
    headers: [
      { key: "Strict-Transport-Security", value: "max-age=31536000; includeSubDomains" },
      { key: "X-Frame-Options", value: "DENY" },
      { key: "X-Content-Type-Options", value: "nosniff" },
      { key: "Referrer-Policy", value: "strict-origin-when-cross-origin" },
      { key: "Permissions-Policy", value: "camera=(), microphone=(), geolocation=()" },
    ],
  }];
}

For CSP with Next.js, use a nonce-based approach via proxy.ts (middleware). See the Next.js CSP docs.

// HOW TO FIX: NGINX

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options "DENY" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
→ SCAN YOUR SITE NOW