Bird
Raised Fist0
Cybersecurityknowledge~5 mins

HTTP security headers in Cybersecurity - Cheat Sheet & Quick Revision

Choose your learning style10 modes available
LearnWhyDeepVisualPracticeChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Recall & Review
beginner
What is the purpose of HTTP security headers?
HTTP security headers help protect websites and users by instructing browsers how to behave securely, such as preventing attacks or data leaks.
Click to reveal answer
intermediate
What does the Content-Security-Policy (CSP) header do?
CSP controls which resources (like scripts or images) a browser is allowed to load, helping to prevent attacks like cross-site scripting (XSS).
Click to reveal answer
beginner
Explain the role of the Strict-Transport-Security (HSTS) header.
HSTS tells browsers to only connect to a website using HTTPS, which keeps data encrypted and safe from eavesdropping.
Click to reveal answer
intermediate
What does the X-Frame-Options header protect against?
It prevents a website from being shown inside a frame or iframe on another site, protecting against clickjacking attacks.
Click to reveal answer
intermediate
Why is the X-Content-Type-Options header important?
It stops browsers from guessing the type of content, which helps prevent some types of attacks by ensuring files are treated as intended.
Click to reveal answer
Which HTTP header forces browsers to use HTTPS connections only?
AStrict-Transport-Security
BContent-Security-Policy
CX-Frame-Options
DX-Content-Type-Options
What attack does the Content-Security-Policy header mainly help prevent?
ACross-Site Scripting (XSS)
BSQL Injection
CPhishing
DDenial of Service
Which header helps prevent clickjacking by controlling framing?
AX-Content-Type-Options
BStrict-Transport-Security
CX-Frame-Options
DContent-Security-Policy
What does the X-Content-Type-Options header do?
APrevents framing
BEnforces HTTPS
CBlocks scripts from unknown sources
DPrevents MIME type sniffing
Which header would you use to specify allowed sources for scripts and images?
AX-Frame-Options
BContent-Security-Policy
CStrict-Transport-Security
DX-Content-Type-Options
Describe the main HTTP security headers and their roles in protecting a website.
Think about how each header helps stop a specific type of attack or risk.
You got /4 concepts.
    Explain why using HTTP security headers is important for website security.
    Consider the benefits of instructing browsers on safe behavior.
    You got /4 concepts.

      Practice

      (1/5)
      1. Which HTTP security header helps prevent your website from being embedded in frames or iframes on other sites to avoid clickjacking attacks?
      easy
      A. X-Frame-Options
      B. Strict-Transport-Security
      C. Content-Security-Policy
      D. Cache-Control

      Solution

      1. Step 1: Understand the purpose of X-Frame-Options

        This header tells browsers whether your site can be shown inside frames or iframes, which helps prevent clickjacking.

      2. Step 2: Compare with other headers

        Strict-Transport-Security enforces HTTPS, Content-Security-Policy controls resource loading, and Cache-Control manages caching, none prevent framing.

      3. Final Answer:

        X-Frame-Options -> Option A

      4. Quick Check:

        Clickjacking protection = X-Frame-Options [OK]
      Hint: Frames blocked by X-Frame-Options header [OK]
      Common Mistakes:
      • Confusing Strict-Transport-Security with frame protection
      • Thinking Content-Security-Policy blocks framing by default
      • Assuming Cache-Control affects framing
      2. Which of the following is the correct syntax to set the Strict-Transport-Security header to enforce HTTPS for one year?
      easy
      A. Strict-Transport-Security: max-age=3600
      B. Strict-Transport-Security: secure=yes
      C. Strict-Transport-Security: enable=true
      D. Strict-Transport-Security: max-age=31536000

      Solution

      1. Step 1: Recall the max-age value meaning

        max-age is the time in seconds the browser should enforce HTTPS. One year equals 31,536,000 seconds.

      2. Step 2: Check the options for correct syntax

        Strict-Transport-Security: max-age=31536000 uses max-age=31536000 which is one year. Others use wrong values or invalid syntax.

      3. Final Answer:

        Strict-Transport-Security: max-age=31536000 -> Option D

      4. Quick Check:

        One year max-age = 31536000 seconds [OK]
      Hint: One year in seconds is 31536000 for max-age [OK]
      Common Mistakes:
      • Using max-age=3600 which is only one hour
      • Using invalid parameters like enable or secure
      • Confusing max-age units (seconds vs minutes)
      3. Given this HTTP response header:
      Content-Security-Policy: default-src 'self'; img-src https://images.example.com;
      What will happen if the webpage tries to load an image from https://cdn.example.com/pic.jpg?
      medium
      A. The image will be blocked by the browser.
      B. The entire page will fail to load.
      C. The image will load successfully.
      D. The browser will ignore the Content-Security-Policy header.

      Solution

      1. Step 1: Analyze the Content-Security-Policy rules

        default-src 'self' allows resources only from the same origin. img-src allows images only from https://images.example.com.

      2. Step 2: Check the image source against allowed domains

        https://cdn.example.com is not allowed by img-src, so the browser blocks the image.

      3. Final Answer:

        The image will be blocked by the browser. -> Option A

      4. Quick Check:

        Image source not in img-src whitelist = blocked [OK]
      Hint: Only allowed domains in img-src load images [OK]
      Common Mistakes:
      • Assuming default-src allows all images
      • Thinking browser ignores CSP headers
      • Believing the whole page fails if one image blocked
      4. A website sets the header X-Content-Type-Options: nosniff but users report some images are not displaying. What is the most likely cause?
      medium
      A. The images are blocked by Content-Security-Policy.
      B. The browser does not support the nosniff option.
      C. The server is sending incorrect MIME types for images.
      D. The Strict-Transport-Security header is missing.

      Solution

      1. Step 1: Understand the effect of X-Content-Type-Options: nosniff

        This header tells browsers to trust the declared MIME type and not guess the content type.

      2. Step 2: Identify why images might not display

        If the server sends wrong MIME types for images, browsers will block them due to nosniff enforcement.

      3. Final Answer:

        The server is sending incorrect MIME types for images. -> Option C

      4. Quick Check:

        nosniff blocks mismatched MIME types [OK]
      Hint: nosniff blocks wrong MIME types from loading [OK]
      Common Mistakes:
      • Blaming browser support instead of server MIME types
      • Confusing CSP blocking with nosniff effects
      • Thinking missing Strict-Transport-Security causes image issues
      5. You want to improve your website's security by enforcing HTTPS and preventing clickjacking. Which combination of HTTP headers should you set?
      hard
      A. Content-Security-Policy and Cache-Control
      B. Strict-Transport-Security and X-Frame-Options
      C. X-Content-Type-Options and Content-Security-Policy
      D. Cache-Control and Strict-Transport-Security

      Solution

      1. Step 1: Identify header for enforcing HTTPS

        Strict-Transport-Security tells browsers to use HTTPS only, improving connection security.

      2. Step 2: Identify header for preventing clickjacking

        X-Frame-Options prevents the site from being framed, stopping clickjacking attacks.

      3. Step 3: Evaluate other options

        Content-Security-Policy controls resource loading but does not enforce HTTPS or prevent framing alone. Cache-Control manages caching, not security.

      4. Final Answer:

        Strict-Transport-Security and X-Frame-Options -> Option B

      5. Quick Check:

        HTTPS + clickjacking protection = Strict-Transport-Security + X-Frame-Options [OK]
      Hint: Use Strict-Transport-Security + X-Frame-Options for HTTPS and framing [OK]
      Common Mistakes:
      • Confusing Cache-Control as security header
      • Thinking Content-Security-Policy alone prevents clickjacking
      • Ignoring HTTPS enforcement in header choice