We are making a set of changes designed to make our websites more secure. The changes are listed below and should not affect your user experience. It is best practice to share this note with your internal IT department.
The changes will take place on the week commencing 2nd of May.
Below you will find a description of the headers we will be putting in place.
X-Frame-Options
The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a frame, iframe or object. This is used to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.
Result: We will be applying the SAMEORIGIN value to this header which should not impact site usage and will prevent the site being used in an iframe on external sites.
Strict-Transport-Security (HSTS)
This requires a browser to use the HTTPS protocol to connect to sites.
The first time a site is accessed using HTTPS and it returns the Strict-Transport-Security header, the browser records this information, so that future attempts to load the site using HTTP will automatically use HTTPS instead.
Whenever the Strict-Transport-Security header is delivered to the browser, it will update the expiration time for that site, so sites can refresh this information to prevent the timeout expiring.
Result: This should not cause any issues in connecting to a site and will ensure that connecting traffic is using the HTTPS protocol.
X-Content-Type-Options
The X-Content-Type-Options response HTTP header is a marker used by the server to indicate that the MIME types advertised in the Content-Type headers should not be changed and be followed.
This blocks content sniffing and prevents the transformation of non-executable MIME types into executable MIME types.
Result: This header will prevent MIME type attacks on sites and should not affect regular use of the site
X-XSS-Protection
The HTTP X-XSS-Protection response header is a feature of Internet Explorer, Chrome and Safari that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks.
XSS filtering will allow the browser to prevent rendering of the page if an attack is detected.
Result: This header should not affect regular use of the site and will prevent the site from being displayed should a XSS type attack be detected.
------------------------------------------------------------------------------------------------------------------------
Not sure what the above means?
The above changes should not affect your user experience, they have been put in place to improve the security and reliability of our website.
What next?
It is best practice to share this note with your internal IT department.
Want to know more?
If you have any questions regarding the changes please share this note with your IT department. They will be best placed to share more on how the HTTP Response Headers work.