akanealw
eec8c28fb3
4.2 KiB
Executable File
title, description, category
| title | description | category |
|---|---|---|
| HTTP Security Headers | Automatic security headers including CSP, HSTS, and more | security |
HTTP Security Headers
Modern browsers expect specific security headers to protect your users. Charon automatically adds industry-standard headers including Content-Security-Policy, Strict-Transport-Security, X-Frame-Options, and X-Content-Type-Options.
Overview
HTTP security headers instruct browsers how to handle your content securely. Without them, your site remains vulnerable to clickjacking, XSS attacks, protocol downgrades, and MIME-type confusion. Charon provides a visual interface for configuring these headers without memorizing complex syntax.
Supported Headers
| Header | Purpose |
|---|---|
| HSTS | Forces HTTPS connections, prevents downgrade attacks |
| Content-Security-Policy | Controls resource loading, mitigates XSS |
| X-Frame-Options | Prevents clickjacking via iframe embedding |
| X-Content-Type-Options | Stops MIME-type sniffing attacks |
| Referrer-Policy | Controls referrer information leakage |
| Permissions-Policy | Restricts browser feature access (camera, mic, geolocation) |
| Cross-Origin-Opener-Policy | Isolates browsing context |
| Cross-Origin-Resource-Policy | Controls cross-origin resource sharing |
Why Use This
- Browser Protection: Modern browsers actively check for security headers
- Compliance: Many security audits and standards require specific headers
- Defense in Depth: Headers add protection even if application code has vulnerabilities
- No Code Changes: Protect legacy applications without modifying source code
Security Presets
Charon offers three ready-to-use presets based on your security requirements:
Basic (Production Safe)
Balanced security suitable for most production sites. Enables essential protections without breaking typical web functionality.
- HSTS enabled (1 year, includeSubdomains)
- X-Frame-Options: SAMEORIGIN
- X-Content-Type-Options: nosniff
- Referrer-Policy: strict-origin-when-cross-origin
Strict (High Security)
Enhanced security for applications handling sensitive data. May require CSP tuning for inline scripts.
- All Basic headers plus:
- Content-Security-Policy with restrictive defaults
- Permissions-Policy denying sensitive features
- X-Frame-Options: DENY
Paranoid (Maximum)
Maximum security for high-value targets. Expect to customize CSP directives for your specific application.
- All Strict headers plus:
- CSP with nonce-based script execution
- Cross-Origin policies fully restricted
- All permissions denied by default
Configuration
Using Presets
- Navigate to Hosts → Select your host → Security Headers
- Choose a preset from the dropdown
- Review the applied headers in the preview
- Click Save to apply
Custom Header Profiles
Create reusable header configurations:
- Go to Settings → Security Profiles
- Click Create Profile
- Name your profile (e.g., "API Servers", "Public Sites")
- Configure individual headers
- Save and apply to multiple hosts
Interactive CSP Builder
The CSP Builder provides a visual interface for constructing Content-Security-Policy:
- Select directive (script-src, style-src, img-src, etc.)
- Add allowed sources (self, specific domains, unsafe-inline)
- Preview the generated policy
- Test against your site before applying
Security Score Calculator
Each host displays a security score from 0-100 based on enabled headers:
| Score Range | Rating | Description |
|---|---|---|
| 90-100 | Excellent | All recommended headers configured |
| 70-89 | Good | Core protections in place |
| 50-69 | Fair | Basic headers only |
| 0-49 | Poor | Missing critical headers |
When to Use Each Preset
| Scenario | Recommended Preset |
|---|---|
| Marketing sites, blogs | Basic |
| E-commerce, user accounts | Strict |
| Banking, healthcare, government | Paranoid |
| Internal tools | Basic or Strict |
| APIs (no browser UI) | Minimal or disabled |
Related
- Proxy Headers - Backend communication headers
- Access Lists - IP-based access control
- Back to Features