HTTP Security Headers

Cross-site Scripting (XSS) Protection

Modern browsers include a feature to help protect against cross-site scripting (XSS) attacks. Setting the X-XSS-Protection HTTP header in your wao.io control panel will enable this browser feature for your website. You decide if you only want to remove unsafe scripts or block the whole page from being rendered.

Referrer Policy

Ensure your users' privacy (and security) and set the Referrer-Policy header with wao.io. Stay in control of your analytics by specifying when the browser will set a referrer header and when it will protect your user.

Clickjacking Protection

Hackers use iframes to capture clicks for their own purposes. By enabling the x-frame-options headers for your site, iframes will be disabled and the risk of clickjacking will be mitigated. If you rely on iframes, you can specify specific URLs or allow that the page can only be displayed in an iframe by someone on the same origin.

Forbid Content Type Sniffing

A content-type sniffing vulnerability enables an attacker to inject malicious code, like a malicious executable script, masquerading as an innocent resource. Setting the x-content-type header to nosniff will guard your users from drive-by downloads and hence protect the integrity of your website.

Remove Outgoing Information About Your Server

Exposing too much information about your servers drastically increases the risks of security attacks. Hackers use the information about the implemented software to find security vulnerabilities and attack your servers. With wao.io you can stay safe by removing this delicate information with one push of a button.

Secure Cookies

Often overlooked are special cookie attributes which can significantly reduce the risk of cookie theft. Setting the HTTP Only attribute will deny JavaScript access to the cookie, making it more difficult to steal the cookie when there is a XSS flaw. Cookies marked as secure will only be served via HTTPS which prevents easy intercepting when the user unintentionally switches to an unencrypted HTTP connection.