The Content-Security-Policy (CSP) header is used in web security. What does it mainly help prevent?
Think about how websites control what scripts or content can run on their pages.
The Content-Security-Policy header tells the browser which sources of content are allowed. This helps stop attackers from injecting malicious scripts, a common method in cross-site scripting (XSS) attacks.
What effect does the Strict-Transport-Security (HSTS) header have on a user's browser?
Consider how browsers handle secure connections and what can happen if they switch to insecure ones.
HSTS tells browsers to only connect to the site using HTTPS for a set time. This stops attackers from tricking browsers into using insecure HTTP, which can be intercepted.
Given the HTTP header:
Referrer-Policy: no-referrer-when-downgrade
What does this header instruct the browser to do?
Think about what 'downgrade' means in terms of security protocols.
This policy sends the full referrer URL only when navigating to the same or a more secure protocol (like HTTPS to HTTPS). It blocks sending referrer info when moving from HTTPS to HTTP to protect privacy.
Both X-Frame-Options and the frame-ancestors directive in Content-Security-Policy control framing of a webpage. Which statement correctly compares their capabilities?
Consider which header offers more detailed control over allowed framing sources.
X-Frame-Options is limited to 'DENY', 'SAMEORIGIN', or 'ALLOW-FROM' with a single allowed domain. The frame-ancestors directive in CSP allows listing multiple domains and wildcards, offering finer control over who can embed the page.
What security risk does setting X-Content-Type-Options: nosniff help prevent?
Think about how browsers handle files when the declared content type might be incorrect or missing.
Without this header, browsers may try to guess the file type and run scripts or styles that are actually harmful. Setting 'nosniff' stops this guessing, reducing risks like drive-by downloads or XSS.