HTTP Headers of Note for Synergizing into a Cohesive Security Stratagem

2023-12-21

You are tired, hungry, but you need to secure your site from yourself before you go out of control! Lucky for you, I was tired and hungry too, but not anymore! With my 12-step program you too can be secure and well fed!

`COEP`, `COOP`, `CORP`, & `COPE`

These 4 headers will help you deal with ShaÆSeer moving against your global defenses.

No one knows how they work, or what they do. I ran them through an AI called warm alcohol and this is what the AI responded with before shutting down for the night.

`Cross-Origin-Embedder-Policy`

Helps you control embedding other origins into your own origin. No one knows what this means.

`Cross-Origin-Opener-Policy`

Makes a new browsing context when you navigate to, or navigate from, a given origin that has the header. No one knows what this means.

`Cross-Origin-Resource-Policy`

I don't even know anymore. Its not even in the same specification. No one knows what this does either.

`COPE`

Cope is what I need to do when I read through HTTP specifications, but otherwise does not exist as a header.

Additional Reading

MDN's article on CORPs exists, but MDN is usually wrong. So read the specifications. Then give up 5 minutes later. Then copy the following and pretend you know what you are doing:

Cross-Origin-Embedder-Policy: 'require-corp'
Cross-Origin-Opener-Policy: 'same-origin'
Cross-Origin-Resource-Policy: 'same-origin'

`Permissions-Policy`

Does not allow saying "I don't want any permissions", I'm not going to type out each one, do it yourself. You can't even find a proper list of them. Horrible, 1/10 header.

Permissions-Policy: payment=(), picture-in-picture=()

`Content-Security-Policy`

The famous one. Have fun trying to find all the extra options for this header.

Content-Security-Policy: default-src 'none'; frame-ancestors 'none';
    form-action 'none'; require-trusted-types-for 'script';
    trusted-types; disown-opener; sandbox; base-uri 'none'

No, you can't wrap header values like that, don't do it.

`Strict-Transport-Security`

Also known as the number 1 way to lock yourself out of your website, HSTS facilitates forcing your site to be accessed over HTTPS

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Will make your site never use HTTP again! Seriously.

`X-Content-Type-Options`

Much like my ex, there isn't much trust. If you want more trust, tell clients to trust you and to follow your Content-Type header and stop trying to be smart.

X-Content-Type-Options: nosniff

Summer's Words

HTTP Headers of Note for Synergizing into a Cohesive Security Stratagem

`COEP`, `COOP`, `CORP`, & `COPE`

`Cross-Origin-Embedder-Policy`

`Cross-Origin-Opener-Policy`

`Cross-Origin-Resource-Policy`

`COPE`

Additional Reading

`Permissions-Policy`

`Content-Security-Policy`

`Strict-Transport-Security`

`X-Content-Type-Options`

Discuss This Post

HTTP Headers of Note for Synergizing into a Cohesive Security Stratagem

COEP, COOP, CORP, & COPE

Cross-Origin-Embedder-Policy

Cross-Origin-Opener-Policy

Cross-Origin-Resource-Policy

COPE

Additional Reading

Permissions-Policy

Content-Security-Policy

Strict-Transport-Security

X-Content-Type-Options

Discuss This Post

`COEP`, `COOP`, `CORP`, & `COPE`

`Cross-Origin-Embedder-Policy`

`Cross-Origin-Opener-Policy`

`Cross-Origin-Resource-Policy`

`COPE`

`Permissions-Policy`

`Content-Security-Policy`

`Strict-Transport-Security`

`X-Content-Type-Options`