A recent issue of the German iX magazine featured an article on improving end user security by enabling HTTP security headers
X-XSS-Protection,
X-Content-Type-Options MIME type sniffing,
Content-Security-Policy,
X-Frame-Options,
and HSTS Strict-Transport-Security.
The article gave the impression of all of them quite common and a good DevOps being unreasonable not implementing them immediately if the application supports them without problems.
This lead me to check my monthly domain scan results of April 2014 on who is actually using which header on their main pages. Results as always limited to top 200 Alexa sites and all larger German websites.
more here.......http://lzone.de/How-Common-Are-HTTP-Security-Headers
X-XSS-Protection,
X-Content-Type-Options MIME type sniffing,
Content-Security-Policy,
X-Frame-Options,
and HSTS Strict-Transport-Security.
The article gave the impression of all of them quite common and a good DevOps being unreasonable not implementing them immediately if the application supports them without problems.
This lead me to check my monthly domain scan results of April 2014 on who is actually using which header on their main pages. Results as always limited to top 200 Alexa sites and all larger German websites.
more here.......http://lzone.de/How-Common-Are-HTTP-Security-Headers