In addition to moving from HTTP to HTTPS, we had to make sure that we benefit all of the SSL so the move is worth it. Next step after implementing SSL is to add SSL/HTTPS security headers to the web server.
Checking for SSL security headers is quite easy. Just go ahead and go to securityheaders.io and input your site in it. It will then show you the score and what you need to do in order to up the score.
Higher score means higher security. Long gone the hassle to battle clickjacking and other XSS script attacks because most up to date browsers have support for this security headers.
Before changing, our site Zon ASIN Hunter has only D score, but after implementing the changes it jumps to A+
Why Using SSL/HTTPS Security Headers
Most of the benefit come from maximizing browser technology. It allows us to enable and disable some browser functions. HTTP has many loophole that can be exploited from the outsider.
If you have access to your server and can set the apache/nginx headers, then you’re good to go. However, if you don’t have access, you can tell your network administrator to add these headers to the web server.
Using SSL/HTTPS security headers will make sure that you use the most current security technology so you can make sure that your server is protected and give a sense of security to your users as well.
Types of SSL Security Headers
From securityheaders.io you can see 6 security headers you can set for your webserver, including:
- X-Frame-Options
It will prevent users to iframe your site. It will defend your site from attacks such as clickjacking and cookie stuffing. - X-XSS-Protection
Will protect your site from XSS script attacks. - Content-Security-Policy
Also protects from XSS script attacks. It can also be used to control the assets loading so you have greater control of which data can be accessed from the site only and which data is public. - Strict-Transport-Security
Forces browsers to use TLS SSL - X-Content-Type-Options
Prevents users from downloading and uploading malicious contents such as executables. - Referrer-Policy
Controls how referrer data is added to the browser information.
Conclusion
Setting just SSL and HTTP security headers definitely don’t protect your entire site, you still need to harden the security on your server internally rather than just relying on new browsers to do its job.
Browsers feature are great and will improve over time. But inventing better mouse trap is not your job, your job is to make secure site for both on the server and browsers so both world would benefit from the technology.
However, keep in mind that higher score doesn’t automatically make the server bad. There are many reasons not to put the suggested security headers because of how the site works.
If you’re still not on the HTTPS or on the fence because of certification and server maintenance will cost you, you need to see the cost / benefits ratio and decide if you need SSL or not.
In the future, all sites will have to have SSL and hopefully the cost to maintain and issue SSL certificate will be much lower than it used to.
