OWASP Secure Headers Project

=Main=



{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
 * valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

OWASP Secure Headers Project
OWASP Secure Headers Project invovles setting headers from the server is easy and often doesn't require any code changes. Once set, they can restrict modern browsers from running into easily preventable vulnerabilities. Secure Headers intends to raise awareness and use of these headers.

Introduction
HTTP headers are well known and also despised. Seeking the balance between usability and security developers implement functionality through the headers that can make your more versatile or secure application. But in practice how the headers are being implemented? What sites follow the best implementation practices? Big companies, small, all or none?

Description
We aim to publish reports on header usage stats, developments and changes. Code libraries that make these headers easily accessible to developers on a range of platforms. Data sets concerning the general usage of these headers.

Licensing
OWASP Secure Headers is free to use. It is licensed under the Apache 2.0 license.


 * valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

What is the OWASP Secure Headers Project?
OWASP Secure Headers provides:


 * Security best practices for HTTP headers
 * A security scanner tool for HTTP response headers
 * Security references about HTTP headers

Project Leader
Ricardo Iramar

Related Projects

 * List of useful HTTP headers


 * valign="top" style="padding-left:25px;width:200px;" |

Quick Links

 * hsecscan

Email List
Project Email List

News and Events

 * [14 Dec 2013] Reborning from the ashes

Classifications

 * }

=FAQs=


 * What is HTTP header?
 * HTTP header fields are components of the header section of request and response messages in the Hypertext Transfer Protocol (HTTP). They define the operating parameters of an HTTP transaction.


 * Is there a standard for HTTP headers?
 * A core set of fields is standardized by the Internet Engineering Task Force (IETF) in RFCs 7230, 7231, 7232, 7233, 7234, and 7235. The permanent registry of header fields and repository of provisional registrations are maintained by the IANA. Additional field names and permissible values may be defined by each application. Non-standard header fields were conventionally marked by prefixing the field name with X- but this convention was deprecated in June 2012 because of the inconveniences it caused when non-standard fields became standard. An earlier restriction on use of Downgraded- was lifted in March 2013.

= Acknowledgements =

Volunteers
Secure Headers is developed by a worldwide team of volunteers. The primary contributors to date have been:


 * Jim Manico
 * xxx

Others

 * xxx
 * xxx

= Road Map and Getting Involved = As of April 2014, the priorities are:

Secure Headers intends to raise awareness and usage of headers sent by the server that can increase security. We'll aim to bring this about by:

1. Producing open source, easily implemented, well documented code libraries that enable these headers for a variety of platforms. We'll prioritize creating and publicizing Node.JS, PHP, Ruby, and Java, but will eventually reach out towards edge cases like Go, Python and others. The key is to make this accessible as possible to developers.

2. Creating a tool that allows the public to scan websites and view stats regarding these headers. The tool will feature: automated scanning of the top 1m sites on the web; filtering of said sites to view stats across industries and countries; published database dumps for public consumption/tools; scanning of individual sites; comparing multiple scanned sites.

3. Consistent reports regarding this secure headers, their usage, any changes to existing headers.

Involvement in the development and promotion of Secure Headers is actively encouraged! You do not have to be a security expert in order to contribute.

Some of the ways you can help:
 * xxx
 * xxx