02 Feb 2020

Securing Your Website with HTTP Headers and Subresource Integrity

Securing your website is vital in today’s ever-evolving threat landscape. New cyberattacks, unauthorized intrusions, and data breaches emerge daily, placing both your business and customers at risk. As your website is the public face of your enterprise, it presents the perfect target to motivated attackers. Finding the perfect balance between security and functionality is vital to the usability of your site. You need to ensure potential customers can access your website rapidly and efficiently. However, you also need to implement security measures to protect them, your data, and your online reputation.

Securing Your Website Requires a Defense in Depth Approach

When it comes to securing your website, there are a variety of technologies, tools, and techniques that can help protect your site from online threats. Hardening your origin server to defend it against a potential breach is a vital first step. Implementing encryption technologies such as Transport Layer Security (TLS) helps strengthen the security of your online platform while increasing your Google PageRank and enhancing your Search Engine Optimization. Network-related technologies such as Web Application Firewalls (WAFs) add a protective layer, filtering malicious traffic while alerting you to potential attacks.

Deploying all these solutions ensures you adhere to the proven industry practice of a Defense in Depth approach. By surrounding your application and data with layers of security, you mitigate the risk of a single point of failure that could lead to a system compromise. In addition to server hardening, encryption, and firewalls, HTTP Headers and Subresource Integrity are additional measures you can implement to secure your website. Adding these configuration changes to your existing Defense in Depth strategy can help you reduce the risk of a data breach or system compromise significantly.

What are HTTP Headers?

HTTP Headers form an integral part of the HTTP protocol standard. When a browser requests data from a web server, the response does not only contain the data that renders in your browser, be it text, images, or video. Included in the information sent from the webserver is metadata that controls what your browser displays and manages the transmission of information. A subset of this metadata contains security information, collectively referred to as HTTP Security Headers. Below are several that you should consider configuring to secure your website, its data, and your site visitors.

HTTP Strict Transport Security (HSTS)

The Strict Transport Security HTTP header enforces the use of HTTPS. It instructs your browser to access any web servers or online services your website utilizes over an encrypted connection exclusively. By configuring this HTTP security header, you can protect your users from Man-in-the-Middle (MitM) attacks. As the data transmitted from your web service to the user is encrypted, should a hacker intercept the traffic, they would not be able to access any information. This setting is particularly useful if your site has a login facility requiring the submission of a username and password.

Content Security Policy

The Content Security Policy header defines legitimate content sources for a particular site or online service. By configuring this setting, it forces a user’s browser to load the approved content from sources you define in the header. It protects your site visitors from Cross-Site Scripting (XSS) and other similar attacks that leverage malicious code injection techniques.


The X-Frame-Options HTTP security header instructs a user’s browser not to load any iframes on your website. Attackers leverage iframes to install malicious software or run unsanctioned scripts on a site visitor’s browsing device. Hiding an embedded iframe from an end-user by configuring its display settings to zero pixels, serves as an ideal clickjacking attack vector. By setting this HTTP security header, you can prevent your site and its visitors from infection and compromise.


The X-XSS-Protection security header enables the Cross-Site Scripting (XSS) filter built into modern web browsers. This setting protects users from XSS attacks that could infect their devices with malicious software. It also helps defend against unsanctioned scripts that could steal the user’s information. Although this setting is typically enabled by default, configuring your site with this header will enforce it, adding another critical layer of security.

Securing Your Website With Subresource Integrity

Modern web applications leverage many external sites and services. Instead of hosting every resource such as text, images, stylesheets, and scripts on a web server, most sites render these assets from external reference points when a page loads. Not only does this reduce the load on your origin server, but cached content distributed across the Internet typically results in performance improvement. Site administrators can also leverage a Content Delivery Network (CDN) to enhance the page load times of their web assets. By utilizing a global CDN network, they can ensure that every user accessing their service from anywhere in the world receives the same performance experience.

Open Architecture Security

The security challenges with an open architecture is that it creates a larger attack surface. Loading content from multiple locations and providers increases the risk of a security breach. Should an attacker manage to compromise one of these resources, they could leverage the compromised platform to deliver malware or run malicious scripts on end-user devices. Subresource Integrity (SRI) is a flag that you can embed in your HTML script tags that can protect your service and visitors from this type of attack. SRI verifies the authenticity of any script before allowing it to execute on a web page. It helps in securing your website by ensuring the resource has not been altered or manipulated in any way by using cryptographic hashes.

How Subresource Integrity Works?

SRI leverages the browser to enforce security. When a page loads and the browser encounters an HTML script or link element with the integrity attribute set, it compares the relevant script or stylesheet to the expected hash defined in the integrity value. If the comparison fails, the browser will not execute the asset and return a network error.

Securing Your Website With Multiple Layers of Security

HTTP Security Headers and Subresource Integrity are useful tools you can leverage to defend your site and its visitors from attack or compromise. Securing your website by configuring the appropriate settings adds the multiple layers of defense you need to protect your service and your customers from the continually evolving threat landscape. As attackers seek out the weakest link in the chain of services, you should consider leveraging the protection of HTTP Security Headers, and the added security Subresource Integrity provides.