You’ve probably seen and heard a lot of commotion recently, due to an increase in cyber-attacks on vulnerable devices. Very recently, Google has issued a new security update for Google Chrome, asking any web developers to serve a ‘NoSNiff Response Header’, in an attempt to prevent hacks via web browsers. This is something that should be considered with much care, particularly if you are in SEO or web development/design. In this post we are going to explore this update and why you should carefully consider Google’s request.
Why is This Security Update So Important?
With various cyber attacks such as spectre and meltdown, which are targeting people with vulnerabilities on their devices and is exposing them for sensitive information & data; a security update like NoSniff has never been more important.
Protect yourself, your users and your clients by keeping on top of this and preventing any sensitive information from falling privy to unwelcome hackers. We would advise that you take every precaution available to you and if you’re unsure, seek advice.
What Exactly Does the Update Do?
The recent Chrome V 67 update introduced a new feature which was originally called ‘Site Isolation’. This is a new security measure which is designed to prevent any attacks on a website visitor’s browser.
In a nutshell, it makes it very difficult for shady websites to steal your information. So, if there are any websites that a visitor clicks on, with any security bugs or potential risks, they’ll have a second line of defence for peace of mind. – In addition to that it makes it far more difficult for malicious and untrustworthy websites from stealing information from other sites.
What to Do Next
Google Chrome would like you to do the following, for your own protection and to help the Site Isolation tool work more efficiently:
You must check that all resources are served with the correct ‘Content-Type’ response headers, and that they are served with a NoSniff response header as well.
For additional clarity, we have extracted the following information from Google’s developer page:
For HTML, JSON, and XML resources:
Make sure these resources are served with a correct “Content-Type” response header from the list below, as well as a “X-Content-Type-Options: NoSniff” response header. These headers ensure Chrome can identify the resources as needing protection, without depending on the contents of the resources.
- HTML MIME type – “text/html”
- XML MIME type – “text/xml”, “application/xml”, or any MIME type whose subtype ends in “+xml”
- JSON MIME type – “text/json”, “application/json”, or any MIME type whose subtype ends in “+json”
OK, so What is a NoSniff Response Header?
The NoSNiff response header makes it easier for you to keep your website and its information more secure. It is however important to note that Google recommends that you don’t rely on this method wholeheartedly, though you make it clear that you’re using it with the appropriate NoSniff header. In addition to the extra security, it will discourage hackers from trying to sabotage your information.
How to Add a NoSniff Response Header to Your Website
Htaccess code for NoSniff response header:
<IfModule mod_headers.c>
Header set X-Content-Type-Options nosniff
</IfModule>
For WordPress:
For WordPress websites you’re going to need to install a plugin. Here are two that we have found which can be used:
- Security Headers – Easy to Use, fewer security features
- HTTP Headers to Improve Security – More complex, though with addition security features
Of course, there are other plugins available, though we tend to recommend going with a plugin that has more installation, as this tends to nod towards it being more reliable or far easier to use.
Summary
It’s time to tighten every bolt and lock the ship down! Cyber security has never been more important than it is today, particularly if your bread & butter comes from an online business. Do not fall prey to these malicious attacks and ensure that your information & that of the people that you work with is safe and secure.
For the past year or so, Google has also consistently been taking steps to push websites towards using secured SSL certificates in order to make the web a safer place for browsers. This is certainly good to see and something that everyone should be striving towards together. It’s a terrible thing, having to hear about people’s business being devastated due to hacker’s stealing their passwords and other sensitive information. Do not take any chances!