Securing your Netlify deployment with HTTP headers

Using the JAM Stack has many benefits. Next to having blazing fast websites and not being dependent on servers to render your page on each request, it also reduces the attack surface.

By not having a server side process accessing a database and rendering the results you not only gain speed, but you also take the risk of SQL injections out of the equation. It removes pretty much any server side risk, by providing you with a lot of benefits. The risk of being vulnerable to Cross-site_Scripting (XSS) attacks is also lower.

However certain kinds of attacks are still possible and you should protect your site.

  • Click Jacking
  • Cross Site Scripting (it is harder but still possible)
  • Content Sniffing attacks
  • SSL downgrade attacks

Do not worry if you have never heard of the above. The OWASP project has a good explanation for them on their Top 10 page

To protect your website from the above, you should add a _headers file to your repository.

This file should contain the following content:

## https://www.netlify.com/docs/headers-and-basic-auth/
/*
  X-Frame-Options: DENY
  X-XSS-Protection: 1; mode=block
  X-Content-Type-Options: nosniff
  Referrer-Policy: origin

Ensure your static site generator includes the file in the folder you are deploying. See the Netlify documentation for this.

scan results before and after the applied change

You should apply those improvements especially when you have any kind of login, email sign up or payment services on your static page.

Congratulations, you just became a bit more secure.

If you always want to stay up to date on your HTTP headers and make sure you do not get insecure by accident, sign up for our beta. We keep an eye on your security, so you can focus on your business.

Join our beta