HTTP Security Headers & security.txt
Complete Guide to Web Security - Protecting Against Web Vulnerabilities with Security Headers
Why Security Headers Matter: Preventing Common Web Attacks
Security headers provide essential protection against clickjacking, MIME sniffing attacks, and information leakage. Missing security headers leave your website vulnerable to common attacks that are easy for attackers to exploit.
For government agencies, security headers are fundamental defenses against web attacks. security.txt provides a standard way for security researchers to report vulnerabilities, improving overall security.
What are Security Headers?
HTTP security headers are response headers that tell browsers how to handle web content and provide additional security controls. They protect against common web vulnerabilities like clickjacking, MIME type sniffing, and information leakage.
Security headers include:
- X-Frame-Options: Prevents clickjacking attacks
- X-Content-Type-Options: Prevents MIME type sniffing attacks
- Referrer-Policy: Controls referrer information leakage
- Content-Security-Policy: Controls resource loading (advanced)
X-Frame-Options
X-Frame-Options prevents clickjacking attacks by controlling whether your website can be embedded in frames (iframes). Clickjacking occurs when attackers embed your website in a malicious frame and trick users into clicking on elements they don't see.
X-Frame-Options Values
- DENY: Prevents any framing (recommended for government agencies)
- SAMEORIGIN: Allows framing only by same origin
- ALLOW-FROM: Deprecated, do not use
Recommended: Use DENY for maximum protection, or SAMEORIGIN
if you need legitimate same-origin framing.
Example Header
X-Frame-Options: DENYX-Content-Type-Options
X-Content-Type-Options: nosniff prevents MIME type sniffing attacks. Without this header, browsers may "sniff" file types and interpret files differently than their declared content type, allowing attackers to execute malicious scripts.
Example Header
X-Content-Type-Options: nosniff
Always use: nosniff - this is the only valid value and should always be set.
Referrer-Policy
Referrer-Policy controls how much referrer information is sent to other sites when users click links. This prevents information leakage that could expose sensitive URLs or user information.
Referrer-Policy Values
- no-referrer: Never send referrer information (most secure)
- strict-origin-when-cross-origin: Send full URL for same-origin, origin only for cross-origin (recommended)
- same-origin: Send referrer only for same-origin requests
- origin: Send only origin (scheme + host + port)
Recommended: Use strict-origin-when-cross-origin for a balance of security
and functionality, or no-referrer for maximum security.
Example Header
Referrer-Policy: strict-origin-when-cross-originsecurity.txt (RFC 9116)
security.txt is a standard file (RFC 9116) that provides information for security researchers about how to report security vulnerabilities. It makes it easy for researchers to find your security contact information and reporting process.
security.txt Location
security.txt should be located at:
/.well-known/security.txt(recommended)/security.txt(fallback, must redirect to /.well-known/security.txt)
security.txt Format
Contact: mailto:security@example.gov
Expires: 2025-12-31T23:59:59.000Z
Preferred-Languages: en
Canonical: https://example.gov/.well-known/security.txt
Policy: https://example.gov/security-policysecurity.txt Fields
- Contact: Security contact email (required)
- Expires: Expiration date (required, maximum 1 year)
- Preferred-Languages: Preferred languages for reports
- Canonical: Canonical URL for security.txt
- Policy: URL to security policy
Why Security Headers are Critical
For government agencies, security headers are fundamental defenses:
1. Prevents Clickjacking
X-Frame-Options prevents attackers from embedding your website in malicious frames, protecting users from clickjacking attacks.
2. Prevents MIME Sniffing Attacks
X-Content-Type-Options prevents browsers from incorrectly interpreting file types, preventing MIME sniffing attacks that could execute malicious code.
3. Prevents Information Leakage
Referrer-Policy controls how much information is leaked through referrer headers, protecting sensitive URLs and user information.
4. Enables Responsible Disclosure
security.txt makes it easy for security researchers to report vulnerabilities responsibly, improving overall security posture.
How to Implement Security Headers
Implementing security headers requires server configuration:
Apache Configuration
Header always set X-Frame-Options "DENY"
Header always set X-Content-Type-Options "nosniff"
Header always set Referrer-Policy "strict-origin-when-cross-origin"Nginx Configuration
add_header X-Frame-Options "DENY" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;security.txt File
Create /.well-known/security.txt with your security contact information and ensure it's
accessible over HTTPS.
How YesGov Ensures Security Headers are Properly Configured
YesGov handles all aspects of security header implementation for government agencies:
- Complete Configuration: We configure all required security headers
- security.txt Setup: We create and configure security.txt files
- Testing and Validation: We test security headers to ensure they work correctly
- Ongoing Monitoring: We monitor security header configuration and ensure it remains active
- Documentation: All security header configuration is documented for compliance and insurance purposes
How YesGov Ensures Complete Security Headers Protection
At YesGov, we don't just check if security headers are configured—we perform comprehensive validation of your entire security headers setup:
- Complete Configuration: We configure all required security headers (X-Frame-Options, X-Content-Type-Options, Referrer-Policy, etc.)
- security.txt Setup: We create and configure security.txt files for responsible disclosure
- Header Validation: We verify headers are properly set and have correct values
- Testing and Validation: We test security headers to ensure they work correctly
- Ongoing Monitoring: We continuously monitor security header configuration
- Documentation: All security header configuration is documented for compliance
When you host with YesGov, security headers are properly configured, continuously monitored, and automatically maintained. We handle header configuration, security.txt setup, and validation testing so you don't have to worry about web vulnerabilities. This is one of our comprehensive security checks that ensures your agency meets and exceeds federal, state, and industry standards.