RapidSpike Security Headers

A few lines of code in your website’s header can make or break your security and your customer’s trust. We know how important that is to you, so at RapidSpike we’re here to empower you with data, protecting your website from the top down, and today we’re talking about the very top — your homepage header and its precious metadata.

When a customer visits your website’s homepage, the metadata in the header tells their device how to act, how to respond and what rules to expect. On simple sites, the header might be just a few lines of code and a link to a CSS file, but as sites become more complicated, the header can become larger and larger, until the complexity starts to introduce risks and lower the overall performance of your site. This is where RapidSpike comes in.

Our Security Header scanning capabilities allow you to review your homepage’s performance, receive a ranking based on a number of factors, such as:

  • Strict-Transport-Policy (HSTS)
  • Content-Security-Policy (CSP)
  • Feature-policy / Permissions Policy

Each of these policies serves a specific purpose, and protects your site’s users in a different way. For example, the HTTP Strict Transport Security (HSTS) header lets a server declare to browsers that it will only interact with them over HTTPS. This provides a defence against man-in-the-middle type attacks, and ensures that all traffic and data types on your site are encrypted. In more detail, when responding to a HTTP request, a web server sends headers as part of the request – these headers give the browser more information about the contents of the response. OWASP (The Open Web Application Security Project) define a series of HTTP response headers that can be used to to increase the security of a web application, which can restrict browsers from falling foul of a range of easily preventable vulnerabilities. 

Without this HSTS header, an attacker could impersonate the client by communicating with the server over HTTPS. This would satisfy the server’s security requirements, allowing data to then be forwarded to the client, who would have no way of knowing if it should be using a secure connection. Finally, the attacker would then be able to read, or even change, all traffic sent to or from the client.

Collectively, these headers form a good baseline defense against a range of attacks, and as such it is recommended that they be utilised. Our Security Headers monitor will check which headers are being served in a response, check for misconfigurations, and generate an overall score. You can use these results to quickly identify potential areas of improvement, pointing out how and where changes could be made.

Here’s how to configure a monitor within the RapidSpike app. 

Enabling the Security Headers Monitor

  1. Select the website you want to monitor from my.rapidspike.com -> websites.
  2. Select settings, and ensure the monitoring level is set to advanced
Security Headers: General Settings - Monitoring Level
General Settings – Monitoring Level
  1. On the right hand side under Monitor Status -> Security Add-on Monitors, ensure the Security Headers monitor is switched on.
Security Add-on Monitors
Security Add-on Monitors

When the monitor has completed its first run, the results of the Security Header scan can be accessed from the Website Overview, on the right hand side under security:

Security Headers Results
Security Headers Results

Here’s a view of the results screen, highlighting any issues or pass messages, these include actionable details for your team to implement, tightening any weak spots in your headers.

Security Headers Details
Security Headers Details

Our Security Headers are always there to support your business and to flag any malicious actors so you can respond in the least possible time. Time saved is money saved, and can help protect your brand’s hard earned reputation.

Configuring these settings can be done in just a few minutes through the RapidSpike platform, if that wasn’t enough this additional security is part of every bespoke RapidSpike plan at no extra cost — so what are you waiting for?
Get in touch with our team today.