HTTP Headers of Note for Synergizing into a Cohesive Security Stratagem
You are tired, hungry, but you need to secure your site from yourself before you go out of control! Lucky for you, I was tired and hungry too, but not anymore! With my 12-step program you too can be secure and well fed!
COEP
, COOP
, CORP
, & COPE
These 4 headers will help you deal with ShaÆSeer moving against your global defenses.
No one knows how they work, or what they do. I ran them through an AI called warm alcohol and this is what the AI responded with before shutting down for the night.
Cross-Origin-Embedder-Policy
Helps you control embedding other origins into your own origin. No one knows what this means.
Cross-Origin-Opener-Policy
Makes a new browsing context when you navigate to, or navigate from, a given origin that has the header. No one knows what this means.
Cross-Origin-Resource-Policy
I don't even know anymore. Its not even in the same specification. No one knows what this does either.
COPE
Cope is what I need to do when I read through HTTP specifications, but otherwise does not exist as a header.
Additional Reading
MDN's article on CORPs exists, but MDN is usually wrong. So read the specifications. Then give up 5 minutes later. Then copy the following and pretend you know what you are doing:
Cross-Origin-Embedder-Policy: 'require-corp'
Cross-Origin-Opener-Policy: 'same-origin'
Cross-Origin-Resource-Policy: 'same-origin'
Permissions-Policy
Does not allow saying "I don't want any permissions", I'm not going to type out each one, do it yourself. You can't even find a proper list of them. Horrible, 1/10 header.
Permissions-Policy: payment=(), picture-in-picture=()
Content-Security-Policy
The famous one. Have fun trying to find all the extra options for this header.
Content-Security-Policy: default-src 'none'; frame-ancestors 'none';
form-action 'none'; require-trusted-types-for 'script';
trusted-types; disown-opener; sandbox; base-uri 'none'
No, you can't wrap header values like that, don't do it.
Strict-Transport-Security
Also known as the number 1 way to lock yourself out of your website, HSTS
facilitates forcing your site to be accessed over HTTPS
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Will make your site never use HTTP
again! Seriously.
X-Content-Type-Options
Much like my ex, there isn't much trust. If you want more trust, tell clients to trust you and to follow your Content-Type
header and stop trying to be smart.
X-Content-Type-Options: nosniff