As new web attacks are created, protective strategies need to adapt. Latest attacks such as Clickjacking, XSS Filter bypassing, MIME sniffing have dramatically affected the World Wide Web community.
These new attack patterns require new type of security mechanisms because of the vector of origination. New security solutions, named Declarative Security have been proposed and are applied at a low level in the HTTP.
The main idea is to specify security in an HTTP parameter that is set by the server and is sent along to the web browser as a part of the in-line response. A browser renders the content of that web page by scrutinizing the HTTP headers and tries to invoke the specified security module in order to head off the attacks.
As the name implies, the protection parameters for a specific set of attack are declared by the developer as a part of the web server or application running on the server.
Most of these declarative security protection parameters are not the part of HTTP 1.1 specification, but are considered as vendor specific or customized security solutions related to a specific product. Usually, the declarative security in HTTP parameters is understood as the”X” factor protection. Most of the HTTP headers start with”X” in order to differentiate between standard HTTP 1.1 and normalized ones. Some of the headers that define the declarative security are X-XSS-Protection, X-Frame-Options, X-Content- Type-Options, X-Download-Options, X-Content-Security- Policy, etc. Microsoft, Chrome and Mozilla have adopted this type of security.