We are now Really Simple Security!
Read more about our journey.
About Visitor Protection
HSTS & HSTS Preload
The HSTS (HTTP Strict Transport Security) header instructs the browser to always load a website over https. It is a must-have for every website, to enforce SSL and to enforce a secure and encrypted connection.
- Ensure that the website is always loaded over https.
- Prevent manipulation of data originating from, or sent to your website.
- Further enforce HSTS via the HSTS preload list.
A website visitor is hijacked trying to access your website.
The hacker serves a look-a-like website with the purpose to steal e.g. personal data.
The website visitor expects to enter their payment information or personal data on website A, which seems secure.
Website B, controlled by a malicious party, loads an 'invisible' iFrame/Layer in the website to pose as the correct form to enter.
Frame Ancestors (X-Frame-Options)
These headers allow to specify which domains may load a website in an iFrame. This prevents tricking visitors into leaving personal information with malicious sites that pose as your site.
- Prevent Cross Site Request Forgery (CSRF) attacks.
- Prevent Clickjacking attacks.
X-Content-Type-Options
The X-Content-Type-Options header is especially important for sites with user-uploaded content, such as forums. It protects visitors from downloading malicious content, disguised as eg. PDFs or images.
- Prevents 'MIME type sniffing'.
- Instructs the browser to use the MIME type as declared by the server.
The website visitor expects to view an image file, but is downloading a script (Bomb) file.
The server does not define the scripts that are allowed for the browser to render a website.
Visitors are safeguarded as they can only interact with trusted, owner-approved content
The CSP acts as a filter to ensure that only safe, pre-approved resources & assets can be loaded on the website.
Content Security Policy
The Content Security Policy is a very powerful header that specifies exactly which (types of) resources may be loaded on a website. Any other (potentially malicious) resources will be blocked.
- Use learning mode to automatically configure this header.
- Even if malicious scripts are injected, the browser will not load them.
- Gain full control over the resources loaded by your website.
Referrer Policy
The Referrer Policy allows to determine which information may be included in the referrer URL when a site visitor is referred to another page or external website.
- Prevent leakage of possibly sensitive data via URL parameters.
- For privacy concerns you can choose not to add a referrer at all.
You're logged in to Facebook, and in the URL your login credentials are present. You stumble upon an advert from Amazon and you click it!
You visit the Amazon product page, and an Amazon marketeer finds your credentials in their Analytics tool.
Making use of browser settings that might allow browser features, all browser data, even from a camera is collected by a third party.
You visit a webshop to browse the latest sneakers. Suddenly, your webcam turns on. What's happening?
Permissions Policy
The Permission Policy specifies which browser features may be used on your website, or by third-party tools loaded by your website. The header protects site visitors by disabling any other browser features on the site.
- Prevent misuse of browser features such as GEO location, camera, etc.
- Limit features to be used only by your domain, not by third parties.
CORS headers
These headers are a combination of four headers that allow site owners to achieve ‘Cross Origin Isolation’. It will only allow information exchange with other sites that have a matching CORS configuration.
- Advanced feature, only suitable for specific use-cases.
- Powerful isolation of information exchange between other websites.
- Requires the other party to configure CORS headers as well.
During the visit, and during the payment, Google's API request is blocked and no data is shared, 'isolating' your website.
A PayPal pop-up shows up on top of the Amazon website, used to collect payment information and process the order.
