title | level | url | type | layout | tags | pitch |
---|---|---|---|---|---|---|
OWASP Secure Headers Project |
3 |
documentation |
col-sidebar |
headers |
Provides technical information about HTTP security headers. |
🎯 The OWASP Secure Headers Project (also called OSHP) describes HTTP response headers that your application can use to increase the security of your application. Once set, these HTTP response headers can restrict modern browsers from running into easily preventable vulnerabilities. The OWASP Secure Headers Project intends to raise awareness and use of these headers.
🤔 HTTP headers are well known and also despised. Seeking a balance between usability and security, developers implement functionality through the headers that can make applications more versatile or secure. But in practice how are the headers being implemented? What sites follow the best implementation practices? Big companies, small, all or none?
📚 The OWASP Secure Headers Project aim to provide elements about the following aspects regarding HTTP security headers:
- Guidance about the recommended HTTP security headers that can be leveraged.
- Guidance about the HTTP headers that should be removed.
- Tools to validate an HTTP security header configuration.
- Code libraries that can be leveraged to configure recommended HTTP security headers.
- Statistics about usage of the recommended HTTP security headers.
🏭 All the tools provided by the OSHP are gathered under this GitHub organization.
📺 A presentation of the project is available on the following locations:
- OWASP Spotlight Youtube playlists.
- Application Security Podcast Youtube playlists.
- NoLimitSecu Podcast (French).
🌎 The OWASP Secure Headers Project was migrated from the old website to the GitHub OWASP organization.
📦 The following projects are now archived, they are initiatives that are now replaced by new projects:
📈 We provide statistics, updated every month, about HTTP response security headers usage mentioned by the OWASP Secure Headers Project:
- They are available through this GitHub project.
✅ We provide a venom tests suite to validate an HTTP security response header configuration against OWASP Secure Headers Project recommendation:
- It is available through this GitHub project.
🧪 We also provide a online mock endpoint returning an HTTP response, for which, all HTTP response headers recommended by the OSHP will be set:
- It is automatically deployed on
https://oshp-validator-mock.onrender.com
- Technical details about this endpoint are here.
📖 As mentioned in previous sections, we provide the collection of HTTP response security headers to add as well as HTTP response headers to remove, both in table form.
💡 Additionally, we provide this information as two JSON files to enable automation in the context of a provisioning workflow:
- Collection of HTTP response security headers to add.
- Collection of HTTP response headers to remove.
📡 These json files are automatically updated.
📍 We automatically generate and monitor this dashboard to identify any dead project referenced in the Technical Resources tab.
💬 We use the GitHub discussions feature for discussions about the project as well as spreading global information about it.
👩💻 The work on the OSHP projects and associated components is tracked using the GitHub project feature.
📡 This atom web feed can be used to be notified when an update is pushed on the OSHP website's repository.
📖 This is documented into the Case Studies tab.
💌 Contributors to OSHP, before the migration of the project to GitHub:
💌 Visit this page for updated information about the contributors since the migration of the project to GitHub.
📑 This project content is free to use. It is licensed under the Apache 2.0 License.