Snippet #7: OWASP Useful HTTP Headers

If you develop and deploy web applications then security is on your mind.  When I want to understand a web security topic I go to OWASP.org, a community dedicated to enabling the world to create trustworthy web applications.


One of my favorite OWASP wiki pages is the list of useful HTTP headers. This page lists a few HTTP headers which, when added to the HTTP responses of an app, enhances its security practically for free. Let’s examine the list…

These headers can be added without concern that they affect application behavior:

  • X-XSS-Protection
    • Forces the enabling of cross-site scripting protection in the browser (useful when the protection may have been disabled)
  • X-Content-Type-Options
    • Prevents browsers from treating a response differently than the Content-Type header indicates

These headers may need some consideration before implementing:

  • Public-Key-Pins
    • Helps avoid *-in-the-middle attacks using forged certificates
  • Strict-Transport-Security
  • X-Frame-Options / Frame-Options
    • Used to avoid "clickjacking", but can break an application; usually you want this
  • Content-Security-Policy / X-Content-Security-Policy / X-Webkit-CSP
    • Provides a policy for how the browser renders an app, aimed at avoiding XSS
  • Content-Security-Policy-Report-Only
    • Similar to CSP above, but only reports, no enforcement


Here is a script that incorporates three of the above headers, which are generally safe to add to any application:

And that's it: About 20 lines of code to add 100 more bytes to the total HTTP response, and enhanced enhanced application security!  Go get your own FREE license and try it today!

Published Jun 11, 2015
Version 1.0

Was this article helpful?

2 Comments

  • Johnny_Schmidt_'s avatar
    Johnny_Schmidt_
    Historic F5 Account
    This is for LineRate, a software-only product that is completely separate from BIG-IP. iRules is a technology included in BIG-IP, separate from LineRate. That said, the following iRules commands do provide essentially the same functionality as above: when HTTP_RESPONSE { HTTP::header insert X-Frame-Options deny HTTP::header insert X-XSS-Protection 1; mode=block HTTP::header insert X-Content-Type-Options nosniff }