Security Headers in HTTP
So in the last few years, security headers in HTTP/s have been becoming more and more important. Mozilla has been blogging about this since at least 2013. In more recent times a few projects have started popping up to help advise about and analyze these headers. Mozilla Observatory and Security Headers are the first two that jump to mind but many great sites will check them for you.
So what are HTTP headers
HTTP headers are built into the HTTP protocol and are normally handled at the server level, not in the code. However, it is possible to modify them via code. The HTTP RFC outlines them as such.
4.2 Message Headers
HTTP header fields, which include general-header (section 4.5), request-header (section 5.3), response-header (section 6.2), and entity-header (section 7.1) fields, follow the same generic format as that given in Section 3.1 of RFC 822 . Each header field consists of a name followed by a colon (":") and the field value. Field names are case-insensitive. The field value MAY be preceded by any amount of LWS, though a single SP is preferred. Header fields can be extended over multiple lines by preceding each extra line with at least one SP or HT. Applications ought to follow “common form”, where one is known or indicated, when generating HTTP constructs, since there might exist some implementations that fail to accept anything beyond the common forms.
How to add these headers to a Cloudflare site for free
So I am using Cloudflare as the CDN for my site and AWS S3 for the hosting. S3 is great but sadly it has no support for HTTP security headers. To get around this issue I have taken advantage of CloudFlare’s free tier worker that they have started providing and a great blog from Scott Helme. It is as easy as he makes it out to be, I will provide a quick list that proves how easy it is.
- Log in to the Cloudflare control panel
- Click on Workers
- Click “Launch Editor”
- Click “Add script” on the left
- Fill in the script name and save
- Click “edit” next to the name of the new script you created
- Paste in the code from Scott’s GitHub and save
- Click “Dashboard” in the top left to go back to the worker’s page
- Click “Add Route”
- Enter in your website URL and
/*at the end, then select you new worker from the drop-down, select save.
That’s it! Great HTTP security headers added to your site in 10 steps!
I will make some follow up posts about tuning the headers and the config I use for Cloudflare but wanted to get this up to say thanks to Scott for making life so easy!
Thanks for reading.