10 tests verify automatic injection of security headers (BSI IT-Grundschutz APP.3.1.A21).
Security headers are configured in policy.yaml:
# policy.yaml
security_headers:
# Content Security Policy
csp:
enabled: true
policy: "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'"
# HTTP Strict Transport Security
hsts:
enabled: true
max_age: 31536000 # 1 year
include_subdomains: true
preload: true
# Additional security headers
x_frame_options: "DENY"
x_content_type_options: "nosniff"
x_xss_protection: "1; mode=block"
referrer_policy: "strict-origin-when-cross-origin"
permissions_policy: "geolocation=(), microphone=(), camera=()curl -I https://example.com/appHTTP/1.1 200 OK
Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'CSP header controls which resources the browser is allowed to load. Prevents XSS by restricting script execution to trusted sources.
Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadHSTS forces browsers to use HTTPS for all future requests. The preload directive allows inclusion in browser preload lists for maximum security.
X-Frame-Options: DENYPrevents the page from being embedded in iframes, protecting against clickjacking attacks where malicious sites overlay invisible frames to trick users.
X-Content-Type-Options: nosniffPrevents browsers from MIME-sniffing responses, ensuring they respect the declared Content-Type. Protects against attacks where files are disguised as different types.
Referrer-Policy: strict-origin-when-cross-originControls how much referrer information is sent with requests. Prevents leaking sensitive URL paths when navigating to external sites.
Permissions-Policy: geolocation=(), microphone=(), camera=()Restricts browser features that can be used. Disabling unused features like geolocation, microphone, and camera reduces attack surface.
Test if security headers are correctly set:
curl -I https://your-domain.com | grep -E '(Content-Security|Strict-Transport|X-Frame|X-Content-Type)'