Our new AI security scanning tools give our head developer the information needed to take the Network's security game to the next level.
HTTP headers contain information that instructs your browser 'behind the scenes' on how to handle content requested from our servers. They include security settings that help prevent attacks like cross-site scripting, XXS, code injecting, click highjacking....Did we lose you there? It's ok, this is complicated stuff.
Securing a website is similar to walking on a tight rope; it requires full attention (24 hours a day), there are a million small, easy ways to fall out of line, and you have to keep moving to keep your balance. That is why this new group of AI scanning tools is so wonderful - think if it like adding a bomb sniffing dog to our Network's security team.
It focuses on 'HTTP Header' security. Every time the code in these specific headers sends out a call for information to our server it is at risk of attack without protection in place. Here's a snippet of what some of these HTTP Security Headers do and why it is so important to make sure they are performing properly:
- Content Security Policy: This gives our developers the ability to specify the resources a site is allowed to load. Essentially, they can green-light calls for just the content your site is supposed to load, and block anything else.
- Cross Site Scripting Protection (X-XXS): This handy little filter is automatically enabled in Chrome, IE, and Safari. If this puppy senses an attack of this kind, it puts the kibosh on it right away. All we have to do is make sure this HTTP Header is in place to tell this little filter we want it to work for our Network sites.
- X-Frame-Options: This is needed to prevent a nasty practice of 'spoofing' items on a website. Once a user clicks on a superimposed item, it navigates them away from the site they think they are on to another one that always looks shockingly similar. That is how people end up giving away valuable personal information without even knowing it. How do we fix it? By using this header that tells the site to ONLY accept 'x-frame' items from our server, and blocks anyone else from interject their 'x-frame' item overtop of ours.
That list is a modicum of what these various headers are capable of, and since they are always changing (because the attacks are always changing) we are pretty darn happy when our AI watchdog does a sniff test and tells us we got a 'A' security grade for your site. We're guessing you're pretty happy about that 'A' grade too.