Common Pitfalls and Solutions

1 min read Web Security Fundamentals

Common Pitfalls and Solutions

Avoid these common security header mistakes:

Overly Permissive CORS: Never use Access-Control-Allow-Origin: * with credentials:

# Wrong - allows any origin with credentials
add_header Access-Control-Allow-Origin "*" always;
add_header Access-Control-Allow-Credentials "true" always;

# Correct - explicitly list allowed origins
add_header Access-Control-Allow-Origin "https://trusted-domain.com" always;
add_header Access-Control-Allow-Credentials "true" always;

CSP Breaking Functionality: Test thoroughly and use report-only mode first:

# Start with report-only
Header set Content-Security-Policy-Report-Only "..."

# Monitor reports and adjust policy
# Only then enforce
Header set Content-Security-Policy "..."

Missing 'always' Parameter: Ensure headers are sent even for error responses:

# Wrong - header not sent for 4xx/5xx responses
add_header X-Frame-Options "SAMEORIGIN";

# Correct - header always sent
add_header X-Frame-Options "SAMEORIGIN" always;