chore: clean git cache
This commit is contained in:
GitHub Actions
@@ -1,119 +0,0 @@
|
||||
---
|
||||
title: HTTP Security Headers
|
||||
description: Automatic security headers including CSP, HSTS, and more
|
||||
category: security
|
||||
---
|
||||
|
||||
# HTTP Security Headers
|
||||
|
||||
Modern browsers expect specific security headers to protect your users. Charon automatically adds industry-standard headers including Content-Security-Policy, Strict-Transport-Security, X-Frame-Options, and X-Content-Type-Options.
|
||||
|
||||
## Overview
|
||||
|
||||
HTTP security headers instruct browsers how to handle your content securely. Without them, your site remains vulnerable to clickjacking, XSS attacks, protocol downgrades, and MIME-type confusion. Charon provides a visual interface for configuring these headers without memorizing complex syntax.
|
||||
|
||||
### Supported Headers
|
||||
|
||||
| Header | Purpose |
|
||||
|--------|---------|
|
||||
| **HSTS** | Forces HTTPS connections, prevents downgrade attacks |
|
||||
| **Content-Security-Policy** | Controls resource loading, mitigates XSS |
|
||||
| **X-Frame-Options** | Prevents clickjacking via iframe embedding |
|
||||
| **X-Content-Type-Options** | Stops MIME-type sniffing attacks |
|
||||
| **Referrer-Policy** | Controls referrer information leakage |
|
||||
| **Permissions-Policy** | Restricts browser feature access (camera, mic, geolocation) |
|
||||
| **Cross-Origin-Opener-Policy** | Isolates browsing context |
|
||||
| **Cross-Origin-Resource-Policy** | Controls cross-origin resource sharing |
|
||||
|
||||
## Why Use This
|
||||
|
||||
- **Browser Protection**: Modern browsers actively check for security headers
|
||||
- **Compliance**: Many security audits and standards require specific headers
|
||||
- **Defense in Depth**: Headers add protection even if application code has vulnerabilities
|
||||
- **No Code Changes**: Protect legacy applications without modifying source code
|
||||
|
||||
## Security Presets
|
||||
|
||||
Charon offers three ready-to-use presets based on your security requirements:
|
||||
|
||||
### Basic (Production Safe)
|
||||
|
||||
Balanced security suitable for most production sites. Enables essential protections without breaking typical web functionality.
|
||||
|
||||
- HSTS enabled (1 year, includeSubdomains)
|
||||
- X-Frame-Options: SAMEORIGIN
|
||||
- X-Content-Type-Options: nosniff
|
||||
- Referrer-Policy: strict-origin-when-cross-origin
|
||||
|
||||
### Strict (High Security)
|
||||
|
||||
Enhanced security for applications handling sensitive data. May require CSP tuning for inline scripts.
|
||||
|
||||
- All Basic headers plus:
|
||||
- Content-Security-Policy with restrictive defaults
|
||||
- Permissions-Policy denying sensitive features
|
||||
- X-Frame-Options: DENY
|
||||
|
||||
### Paranoid (Maximum)
|
||||
|
||||
Maximum security for high-value targets. Expect to customize CSP directives for your specific application.
|
||||
|
||||
- All Strict headers plus:
|
||||
- CSP with nonce-based script execution
|
||||
- Cross-Origin policies fully restricted
|
||||
- All permissions denied by default
|
||||
|
||||
## Configuration
|
||||
|
||||
### Using Presets
|
||||
|
||||
1. Navigate to **Hosts** → Select your host → **Security Headers**
|
||||
2. Choose a preset from the dropdown
|
||||
3. Review the applied headers in the preview
|
||||
4. Click **Save** to apply
|
||||
|
||||
### Custom Header Profiles
|
||||
|
||||
Create reusable header configurations:
|
||||
|
||||
1. Go to **Settings** → **Security Profiles**
|
||||
2. Click **Create Profile**
|
||||
3. Name your profile (e.g., "API Servers", "Public Sites")
|
||||
4. Configure individual headers
|
||||
5. Save and apply to multiple hosts
|
||||
|
||||
### Interactive CSP Builder
|
||||
|
||||
The CSP Builder provides a visual interface for constructing Content-Security-Policy:
|
||||
|
||||
1. Select directive (script-src, style-src, img-src, etc.)
|
||||
2. Add allowed sources (self, specific domains, unsafe-inline)
|
||||
3. Preview the generated policy
|
||||
4. Test against your site before applying
|
||||
|
||||
## Security Score Calculator
|
||||
|
||||
Each host displays a security score from 0-100 based on enabled headers:
|
||||
|
||||
| Score Range | Rating | Description |
|
||||
|-------------|--------|-------------|
|
||||
| 90-100 | Excellent | All recommended headers configured |
|
||||
| 70-89 | Good | Core protections in place |
|
||||
| 50-69 | Fair | Basic headers only |
|
||||
| 0-49 | Poor | Missing critical headers |
|
||||
|
||||
## When to Use Each Preset
|
||||
|
||||
| Scenario | Recommended Preset |
|
||||
|----------|-------------------|
|
||||
| Marketing sites, blogs | Basic |
|
||||
| E-commerce, user accounts | Strict |
|
||||
| Banking, healthcare, government | Paranoid |
|
||||
| Internal tools | Basic or Strict |
|
||||
| APIs (no browser UI) | Minimal or disabled |
|
||||
|
||||
## Related
|
||||
|
||||
- [Proxy Headers](proxy-headers.md) - Backend communication headers
|
||||
- [Access Lists](access-lists.md) - IP-based access control
|
||||
- [Back to Features](../features.md)
|
||||
Reference in New Issue
Block a user