Secure Headers Project
6.2.5 Secure Headers Project
The OWASP Secure Headers Project (OSHP) provides information on HTTP response headers to increase the security of a web application.
The OSHP documentation project is an OWASP Lab Project and raises awareness of secure headers and their use.
What is OSHP?
The OSHP project) provides explanations for the HTTP response headers that an application can use to increase the security of the application. Once set the HTTP response headers can restrict modern browsers from running into easily preventable vulnerabilities.
OSHP contains guidance and downloads on:
- Response headers explanations and usage
- Links to individual browser support
- Guidance and best practices
- Technical resources in the form of tools and documents
- Code snippets to help working with HTTP security headers
Why use it?
The OSHP is a documentation project that explains the reasoning and usage of HTTP response headers. It is the go-to document for guidance and best practices; the information on HTTP response headers is the best advice, in one location, and is kept up to date.
How to use it
The OWASP Spotlight series provides an overview of this project and its uses: ‘Project 24 - OWASP Security Headers Project’.
OSHP documents various tools useful for inspection, analysis and scanning of HTTP response headers:
- hsecscan
- humble
- SecurityHeaders.com
- Mozilla Observatory
- Recx Security Analyser
- testssl.sh
- DrHEADer
- csp-evaluator
OSHP also provides links to development libraries that provide for secure HTTP response headers in a range of languages and frameworks.
The OWASP Developer Guide is a community effort; if there is something that needs changing then submit an issue or edit on GitHub.
\newpage