Security headers are an excellent way to reduce exploitations of your website. There are several important headers with varying levels of difficulty to implement. Implementing them with the strictest policies on new projects will help enforce better practices. Adding security headers to legacy projects can be a bit more work if you want to set a strict content security policy or your legacy site doesn’t support HTTPS everywhere. It’s fairly common to handle all security headers in a central load balancer or a proxy server like HAProxy or NGINX. This makes it much easier to maintain if you have different tech stacks and want a simple way to keep everything consistent. Since we only use Java and Undertow, let’s look at how we added simple implementations for this site, which can be seen at the following PR’s CSP and Security Headers. Scott Helme’s securityheaders.io is a great online tool for verifying if you have implemented the headers correctly. The previous PR’s brought our score from F to A+.

Read full news article on Dzone