Cybersecurity
Cards (3)
- X-Content-Type-Options:
- Purpose: This header is designed to prevent browsers from interpreting files as a different MIME type than declared by the server.
- Directive: X-Content-Type-Options: nosniff
- Effect: It helps prevent attacks such as MIME type sniffing, which can occur when a browser tries to guess the content type of a file.
- X-Frame-Options:
- Purpose: This header prevents a webpage from being embedded within an <iframe>. This helps to mitigate clickjacking attacks.
- Directives:
- DENY: The page cannot be displayed in a frame, regardless of the site trying to do so.
- SAMEORIGIN: The page can only be displayed in a frame on the same origin as the page itself.
- ALLOW-FROM uri: The page can only be displayed in a frame on the specified origin.
- Effect: It protects against attacks where an attacker tricks a user into clicking something different from what the user perceives.
- X-XSS-Protection:
- Purpose: This header is a basic protection against Cross-Site Scripting (XSS) attacks.
- Directive: X-XSS-Protection: 1; mode=block
- Effect: If a browser detects a potential XSS attack, it can sanitize the page by blocking the execution of malicious scripts.
- Note: The mode=block directive ensures that the browser blocks the rendering of the page if an XSS attack is detected, providing an added layer of protection.