Many customers wish to enhance the security of their web presence and ensure they comply with organizational requirements related to IT security and third-party audits.
All of our URL redirector responses include the following security related HTTP headers:
X-Content-Type-Options: nosniff
On supported plans customers may also configure additional security related settings on a per-hostname basis. These settings are described below.
HTTP Strict-Transport-Security (HSTS)
You can configure HSTS response headers for all requests on a per-hostname basis. This includes the following directives:
Maximum Age: you can specify the max-age of the HSTS response by specifying an integer value in seconds. If you do not specify a number in this field we will not include the HSTS header in a response. If you set this number to 0 we will set max-age=0 which is useful to clear any cached max-age values in client browsers.
includeSubDomain Directive: If you enable this setting we will include the "includeSubDomain" directive in the HSTS header.
preload Directive: If you enable this setting we will include the "preload" directive in the HSTS header.
For further information on HSTS we recommend you review the OWASP HSTS Cheat Sheet which has a lot of great information on this topic.
HTTPS Upgrade
A best practice when enabling HSTS is to also enable HTTPS Upgrade. When this setting is enabled and we receive a HTTP (insecure) request on this hostname we will first redirect to a HTTPS (secured) version of this URL on the same hostname before redirecting the visitor to the target URL you have configured.
Prevent Foreign Embedding and JavaScript
When this setting is enabled we will add several HTTP headers to all responses on the configured hostname. These HTTP headers are as follows:
X-Frame-Options: DENY
Content-Security-Policy: default-src 'self'
X-XSS-Protection: 1; mode=block
These 3 HTTP headers effectively prevent major browsers from rendering any content returned in the body of the HTTP response in an IFRAME, as well as preventing browsers from executing any JavaScript unless it was returned from this host. This prevents what is commonly referred to as URL masking or URL cloaking and may help mitigate some cross-site-scripting and data injection attacks.
Insider tip: You can apply your source hostname settings on an organizational level through the default hostnames settings. Learn more about it here.
If you have any questions about these security settings please don't hesitate to reach out. We're happy to guide you further.