What are the security headers used in an application?

Question

Accepted Answer

Security headers are used to enhance the security of web applications by providing additional protection against attacks.

Common security headers include Content-Security-Policy (CSP), X-XSS-Protection, X-Content-Type-Options, X-Frame-Options, and Strict-Transport-Security (HSTS)
CSP helps prevent cross-site scripting (XSS) attacks by specifying which sources of content are allowed to be loaded
X-XSS-Protection helps prevent XSS attacks by enabling the browser's built-in XSS protection
X-Content-Type-Options prevents browsers from interpreting files as a different MIME type
X-Frame-Options prevents clickjacking attacks by specifying which domains are allowed to embed the application in an iframe
HSTS forces the browser to use HTTPS instead of HTTP, preventing man-in-the-middle attacks
Security headers can be added to an application's HTTP response using the appropriate HTTP header fields

Top Ernst & Young Security Consultant interview questions & answers