HTTP security headers

General

HTTP header

Estado

Strict-Transport-Security

Recomendado

Content-Security-Policy

Recomendado

X-Content-Type-Options

Recomendado

Content-Type

Recomendado

X-Frame-Options

Opcional según contexto

Referrer-Policy

Opcional según contexto

Cache-Control

Opcional según contexto

Strict-Transport-Security

Strict-Transport-Security: max-age=31536000; includeSubDomains

Content-Security-Policy

Content-Security-Policy: default-src 'self'; form-action 'self'; object-src 'none'; frame-ancestors 'none'; upgrade-insecure-requests; block-all-mixed-content

X-Content-Type-Options

X-Content-Type-Options: nosniff

Content-Type

Content-Type: application/json
Content-Type: application/xml

X-Frame-Options

X-Frame-Options: DENY
X-Frame-Options: SAMEORIGIN
X-Frame-Options: ALLOW-FROM <URI>

Referrer-Policy

Referrer-Policy: no-referrer

Cache-Control

Cache-Control: no-store

cURL

curl -I -L --url <target>

-I = headers.
-L = seguir redireccionamientos.
--url = URL (Uniform Resource Locator).
- <target> = objetivo.

Nmap

nmap -p 80,443 --script http-security-headers <target> -oN nmap-http-security-headers.txt

-p = puertos.
--script http-security-headers = HTTP security headers.
<target> = objetivo.

Nuclei

nuclei -u <target> -t http/misconfiguration/http-missing-security-headers.yaml -ts -silent

securityheaders

https://github.com/juerkkil/securityheaders

securityheaders.py <target>

shcheck

https://github.com/santoru/shcheck

shcheck.py -i -k <target>

Mozilla Observatory

https://observatory.mozilla.org/

OWASP Secure Headers Project

https://owasp.org/www-project-secure-headers/

Security Headers

https://securityheaders.com/

AnteriorTecnologías web SiguienteHTTP methods (verbs)

Última actualización hace 4 meses