How To Enable Security Headers on Heroku

How do HTTP Headers Help with Web Security

HTTP Response Headers are how web servers communicate back to web browsers what security rules should be applied to requests. As an application developer setting these headers can help prevent certain types of web attacks.

What Security Headers Should Be Enabled

X-XSS-Protection

Helps to prevent cross-site scripting attacks by restricting certain browser behaviors.

X-Frame-Options

Prevents your site from loading in an iframe. This is important as sometimes iframes are used in phishing attempts.

X-Content-Type-Options

Prevents MIME-based content attacks.

Prerequisites

What you need to get started:

  1. Expedited WAF add-on is setup in front of your application.

How To Enable Security Headers

Enable Security Headers from the Stop Attacks page of your Expedited WAF dashboard:

Notes

  • Settings these options is usually quite safe with existing applications

Resources

Learn more about Security Headers

Next steps

If you need help with improving your application's security, you can Book a Demo (free) to talk to a security engineer about your application security and compliance requirements. If you're ready to go, you can add the Expedited WAF add-on to your Heroku application in about 15 minutes.