Securing your Netlify deployment with HTTP headers
By not having a server side process accessing a database and rendering the results you not only gain speed, but you also take the risk of SQL injections out of the equation. It removes pretty much any server side risk, by providing you with a lot of benefits. The risk of being vulnerable to Cross-site_Scripting (XSS) attacks is also lower.
However certain kinds of attacks are still possible and you should protect your site.
- Click Jacking
- Cross Site Scripting (it is harder but still possible)
- Content Sniffing attacks
- SSL downgrade attacks
Do not worry if you have never heard of the above. The OWASP project has a good explanation for them on their Top 10 page
To protect your website from the above, you should add a
_headers file to your repository.
This file should contain the following content:
## https://www.netlify.com/docs/headers-and-basic-auth/ /* X-Frame-Options: DENY X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff Referrer-Policy: origin
Ensure your static site generator includes the file in the folder you are deploying. See the Netlify documentation for this.
You should apply those improvements especially when you have any kind of login, email sign up or payment services on your static page.
Congratulations, you just became a bit more secure.
If you always want to stay up to date on your HTTP headers and make sure you do not get insecure by accident, sign up for our beta. We keep an eye on your security, so you can focus on your business.