Bird
Raised Fist0
Cybersecurityknowledge~20 mins

HTTP security headers in Cybersecurity - Practice Problems & Coding Challenges

Choose your learning style10 modes available
LearnWhyDeepVisualPracticeChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Challenge - 5 Problems
🎖️
HTTP Security Headers Master
Get all challenges correct to earn this badge!
Test your skills under time pressure!
📋 Factual
intermediate
2:00remaining
What is the primary purpose of the Content-Security-Policy header?

The Content-Security-Policy (CSP) header is used in web security. What does it mainly help prevent?

AIt restricts the sources from which a browser can load resources to prevent cross-site scripting attacks.
BIt encrypts the data sent between the browser and server to prevent eavesdropping.
CIt forces the browser to only use HTTPS connections for all requests.
DIt hides the server software version to prevent targeted attacks.
Attempts:
2 left
💡 Hint

Think about how websites control what scripts or content can run on their pages.

🧠 Conceptual
intermediate
2:00remaining
How does the Strict-Transport-Security header improve security?

What effect does the Strict-Transport-Security (HSTS) header have on a user's browser?

AIt tells the browser to always use HTTPS for future requests to the site, preventing downgrade attacks.
BIt blocks all cookies from being sent to the server to protect privacy.
CIt disables JavaScript execution on the website to prevent malicious scripts.
DIt forces the browser to clear its cache when visiting the site.
Attempts:
2 left
💡 Hint

Consider how browsers handle secure connections and what can happen if they switch to insecure ones.

🔍 Analysis
advanced
2:00remaining
Identify the effect of the following header on browser behavior

Given the HTTP header:

Referrer-Policy: no-referrer-when-downgrade

What does this header instruct the browser to do?

AAlways send the full URL as referrer, even when moving to less secure sites.
BNever send any referrer information regardless of the destination.
CSend only the origin part of the URL as referrer for all requests.
DSend the full URL as referrer only when navigating to the same or more secure protocol, but not when going to less secure sites.
Attempts:
2 left
💡 Hint

Think about what 'downgrade' means in terms of security protocols.

Comparison
advanced
2:00remaining
Compare X-Frame-Options and Content-Security-Policy frame-ancestors directives

Both X-Frame-Options and the frame-ancestors directive in Content-Security-Policy control framing of a webpage. Which statement correctly compares their capabilities?

AX-Frame-Options can specify multiple domains, but frame-ancestors only allows a single domain.
BBoth headers are deprecated and have no effect on modern browsers.
CX-Frame-Options supports only a few fixed options, while frame-ancestors allows specifying multiple allowed domains and is more flexible.
Dframe-ancestors only works in Internet Explorer, while X-Frame-Options works in all browsers.
Attempts:
2 left
💡 Hint

Consider which header offers more detailed control over allowed framing sources.

Reasoning
expert
2:00remaining
Why might setting the X-Content-Type-Options header to 'nosniff' be critical?

What security risk does setting X-Content-Type-Options: nosniff help prevent?

AIt encrypts the content to prevent interception during transmission.
BIt stops browsers from guessing the MIME type, preventing execution of malicious files disguised with wrong extensions.
CIt disables all inline scripts on the webpage to block cross-site scripting.
DIt forces the browser to cache all content for faster loading.
Attempts:
2 left
💡 Hint

Think about how browsers handle files when the declared content type might be incorrect or missing.

Practice

(1/5)
1. Which HTTP security header helps prevent your website from being embedded in frames or iframes on other sites to avoid clickjacking attacks?
easy
A. X-Frame-Options
B. Strict-Transport-Security
C. Content-Security-Policy
D. Cache-Control

Solution

  1. Step 1: Understand the purpose of X-Frame-Options

    This header tells browsers whether your site can be shown inside frames or iframes, which helps prevent clickjacking.

  2. Step 2: Compare with other headers

    Strict-Transport-Security enforces HTTPS, Content-Security-Policy controls resource loading, and Cache-Control manages caching, none prevent framing.

  3. Final Answer:

    X-Frame-Options -> Option A

  4. Quick Check:

    Clickjacking protection = X-Frame-Options [OK]
Hint: Frames blocked by X-Frame-Options header [OK]
Common Mistakes:
  • Confusing Strict-Transport-Security with frame protection
  • Thinking Content-Security-Policy blocks framing by default
  • Assuming Cache-Control affects framing
2. Which of the following is the correct syntax to set the Strict-Transport-Security header to enforce HTTPS for one year?
easy
A. Strict-Transport-Security: max-age=3600
B. Strict-Transport-Security: secure=yes
C. Strict-Transport-Security: enable=true
D. Strict-Transport-Security: max-age=31536000

Solution

  1. Step 1: Recall the max-age value meaning

    max-age is the time in seconds the browser should enforce HTTPS. One year equals 31,536,000 seconds.

  2. Step 2: Check the options for correct syntax

    Strict-Transport-Security: max-age=31536000 uses max-age=31536000 which is one year. Others use wrong values or invalid syntax.

  3. Final Answer:

    Strict-Transport-Security: max-age=31536000 -> Option D

  4. Quick Check:

    One year max-age = 31536000 seconds [OK]
Hint: One year in seconds is 31536000 for max-age [OK]
Common Mistakes:
  • Using max-age=3600 which is only one hour
  • Using invalid parameters like enable or secure
  • Confusing max-age units (seconds vs minutes)
3. Given this HTTP response header:
Content-Security-Policy: default-src 'self'; img-src https://images.example.com;
What will happen if the webpage tries to load an image from https://cdn.example.com/pic.jpg?
medium
A. The image will be blocked by the browser.
B. The entire page will fail to load.
C. The image will load successfully.
D. The browser will ignore the Content-Security-Policy header.

Solution

  1. Step 1: Analyze the Content-Security-Policy rules

    default-src 'self' allows resources only from the same origin. img-src allows images only from https://images.example.com.

  2. Step 2: Check the image source against allowed domains

    https://cdn.example.com is not allowed by img-src, so the browser blocks the image.

  3. Final Answer:

    The image will be blocked by the browser. -> Option A

  4. Quick Check:

    Image source not in img-src whitelist = blocked [OK]
Hint: Only allowed domains in img-src load images [OK]
Common Mistakes:
  • Assuming default-src allows all images
  • Thinking browser ignores CSP headers
  • Believing the whole page fails if one image blocked
4. A website sets the header X-Content-Type-Options: nosniff but users report some images are not displaying. What is the most likely cause?
medium
A. The images are blocked by Content-Security-Policy.
B. The browser does not support the nosniff option.
C. The server is sending incorrect MIME types for images.
D. The Strict-Transport-Security header is missing.

Solution

  1. Step 1: Understand the effect of X-Content-Type-Options: nosniff

    This header tells browsers to trust the declared MIME type and not guess the content type.

  2. Step 2: Identify why images might not display

    If the server sends wrong MIME types for images, browsers will block them due to nosniff enforcement.

  3. Final Answer:

    The server is sending incorrect MIME types for images. -> Option C

  4. Quick Check:

    nosniff blocks mismatched MIME types [OK]
Hint: nosniff blocks wrong MIME types from loading [OK]
Common Mistakes:
  • Blaming browser support instead of server MIME types
  • Confusing CSP blocking with nosniff effects
  • Thinking missing Strict-Transport-Security causes image issues
5. You want to improve your website's security by enforcing HTTPS and preventing clickjacking. Which combination of HTTP headers should you set?
hard
A. Content-Security-Policy and Cache-Control
B. Strict-Transport-Security and X-Frame-Options
C. X-Content-Type-Options and Content-Security-Policy
D. Cache-Control and Strict-Transport-Security

Solution

  1. Step 1: Identify header for enforcing HTTPS

    Strict-Transport-Security tells browsers to use HTTPS only, improving connection security.

  2. Step 2: Identify header for preventing clickjacking

    X-Frame-Options prevents the site from being framed, stopping clickjacking attacks.

  3. Step 3: Evaluate other options

    Content-Security-Policy controls resource loading but does not enforce HTTPS or prevent framing alone. Cache-Control manages caching, not security.

  4. Final Answer:

    Strict-Transport-Security and X-Frame-Options -> Option B

  5. Quick Check:

    HTTPS + clickjacking protection = Strict-Transport-Security + X-Frame-Options [OK]
Hint: Use Strict-Transport-Security + X-Frame-Options for HTTPS and framing [OK]
Common Mistakes:
  • Confusing Cache-Control as security header
  • Thinking Content-Security-Policy alone prevents clickjacking
  • Ignoring HTTPS enforcement in header choice