Most people do not know about some additional but rarely used headers about security issues. In this article I would like to give some hints to two of those unknown headers. They do not improve security a lot but clearly make it harder for common clickjacking to misuse your websites.
Strict Transport Security
The HTTP Strict Transport Security is technically spoken a special header sent from the webserver to the client. This header tells the client only to communicate via HTTPS instead of HTTP with this webserver. If the browser is supporting HSTS he will know that this domain is only accessible through HTTPS. By doing this one could avoid man-in-the-middle attacks like those based on redirects to malicious web sites instead of the original ones. Technical data and the in depth description can be found on the IETF site.
I will use nginx to define some example configurations. The easiest way is to relay on the client to be smart enough to determine the meaning of the HSTS and simply sent the header with every request made in HTTP:
add_header Strict-Transport-Security max-age=31536000;
The max-ages field contains the amount of seconds of a whole year and is used as a kind of lifetime of the HSTS header. A way to at least force HTTPS on browsers which are not supporting HSTS is to force all browsers to use HTTPS instead of HTTP with a configuration like:
rewrite ^ https://$server_name$request_uri? permanent;
Try to permit framing of your site - the X-Frame-Options
If the clients browser supports this IETF draft it will permit the loading of your page within a (i)frame. There are two options for setting this header:
DENY for a general denial of loading this site within a frame or
SAMEORIGIN for a denial of loading within a foreign page. Most sites will be find by defineing an general denial by adding a header to all the responses.
add_header X-Frame-Options DENY;