Enter headers, stage right
There are quite a few security headers to go through, though in this post I'm only going to cover one.
That one being Content-Security-Policy (CSP).
Now this one is amazing considering it allows you to set where form actions can go as well as where scripts, styles, images, and more can originate from.
How it all works
To really understand how to work with this header, I would suggest checking
out everything you can do through content-security-policy.com
and getting familiar with it through there.
Now, even though the above shows you everything you could do, there are a few things you shouldn't.
Some examples and their reasonings:
https: "Allows loading resources only over HTTPS on any domain."
script-src 'unsafe-inline': "Allows use of inline source elements such as style
A solid beginning
A CSP to start from should look something like the following:
Anything that isn't set anywhere else should be blocked outright.
Replace with wherever a .js file is loaded from
Anywhere a .css file is loaded from, replace this.
Any place that an image originates, replace.
Custom fonts ( from Google or FontAwesome for example )? Replace!
For more information about CSP and a deeper dive into this header check out content-security-policy.com, Mozilla's CSP docs, and Google's Web Security Fundamentals page about CSP
Questions/Comments/Issues? Feel free to contact me using the methods below.