HTTP Security Headers Flashcards
1
Q
Explain the X-Permitted-Cross-Domain-Policies header
A
- specifies the policy for cross-domain data sharing
- can be used to control whether cross-domain requests are allowed or restricted, helping to prevent data leakage and cross-site request forgery (CSRF) attacks
2
Q
Explain the X-Download-Options header
A
- used to prevent Internet Explorer from executing HTML and executable files when downloaded from a web page
- helps protect against certain types of attacks that exploit file downloads
3
Q
Explain the X-Content-Security-Policy header
A
- similar to Content-Security-Policy (CSP) and allows web developers to define a policy for controlling content sources
- provides an additional layer of security for older browsers that do not support the CSP header
4
Q
Explain the X-Powered-By header
A
- used to hide or modify the server information typically sent by the server software
- prevent potential attackers from obtaining information about the server technology in use, reducing the risk of targeted attacks
5
Q
Explain the Expect-CT header
A
- enables websites to enforce Certificate Transparency (CT) for their SSL/TLS certificates
- instructs the browser to only accept certificates that are logged in publicly audited CT logs, reducing the risk of certificate misissuance or fraudulent certificates
6
Q
Explain the Feature-Policy header
A
- allows web developers to control and limit the features or APIs that a web page can access
- helps mitigate the risk of abuse or misuse of certain browser features that could be exploited by attackers
7
Q
Explain the Cross-Origin-Opener-Policy (COOP) and Cross-Origin-Embedder-Policy (COEP) headers
A
provide mechanisms to control cross-origin interactions and mitigate security risks associated with cross-origin communication and embedding