ØxOPOSɆC Mɇɇtuᵽ - [0x31] - The Meet

Renato Rodrigues - @SiMpS0N- 01-03-2016

GET / HTTP/1.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8,fr;q=0.6
Cache-Control: no-cache
Pragma: no-cache
User-Agent: () { :;}; /bin/bash -c "whoami"

Host: 0xOPOSEC
Security Headers

HTTP/1.1 200 ok
In Real Life...


In Short

HTTP message headers are used to precisely describe the resource being fetched or the behavior of the server or the client. Custom proprietary headers can be added using the 'X-' prefix; others are listed in an IANA registry, whose original content was defined in RFC 4229. 

HTTP headers are the core part of HTTP requests and responses, and they carry information about the browser, the requested content, the server and much more.



Headers Description from



 Sets the configuration for the cross-site scripting filters built into most browsers. The best configuration is "X-XSS-Protection: 1; mode=block".

X-XSS-Protection 1; mode=block


Tells the browser whether you want to allow your site to be framed or not. By preventing a browser from framing your site you can defend against attacks like clickjacking.

X-Frame-Options SAMEORIGIN


Stops a browser from trying to MIME-sniff the content type and forces it to stick with the declared content-type. This helps to reduce the danger of drive-by downloads. The only valid value for this header is "X-Content-Type-Options: nosniff".

X-Content-Type-Options nosniff


Is an excellent feature to support on your site and strengthens your implementation of TLS by getting the User Agent to enforce the use of HTTPS.

Strict-Transport-Security max-age=31536000; includeSubdomains; preload


Is an effective measure to protect your site from several attacks. By whitelisting sources of approved content, you can prevent the browser from loading malicious assets.

Content-Security-Policy default-src 'self'; script-src 'self' ...

CSP Builder (Helper): 


Protects your site from MiTM attacks using rogue X.509 certificates. By whitelisting only the identities that the browser should trust, your users are protected in the event a certificate authority is compromised.

Public-Key-Pins pin-sha256="t/OMbK...JM="; max-age=600; report-uri="..."

In real Life



Header set X-Frame-Options SAMEORIGIN
Header set X-XSS-Protection 1;mode=block
Header set X-Content-Type-Options nosniff
Header set Strict-Transport-Security max-age=31536000; includeSubDomains
Header set Content-Security-Policy default-src 'self'

sites-enabled/website.conf or /httpd.conf


add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Content-Security-Policy "default-src 'self'
#Inside Server SSL Config
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";

Edit $(NGINX-DIR)/nginx.conf




Security Headers

By Renato Rodrigues

Security Headers

Enhance the security of a website by properly setup some HTTP Headers. - 10Min Talk for 0xOPOSEC Meetup

  • 2,910