Secure Developer Challenge May 2021

Thanks to everyone who submitted to the Secure Developer Challenge for May 2021!

For this month’s challenge (, we asked you to identify which of these statements about HTTP security headers are false:

The correct answer is that options C and F are incorrect. Did you get it right?

X-XSS-Protection turns on the XSS auditor of the browser and protects against XSS attacks. But the best practice is actually to disable XSS filtering by specifying the header “X-XSS-Protection: 0”. Using this header to prevent XSS attacks is insufficient because it sometimes interferes with custom XSS protection code, and security researchers have found numerous X-XSS-Protection bypasses. You should use the Content-Security-Policy header instead.

MIME-sniffing is when browsers try to determine the file type of the document by examining its content. X-Content-Type-Options turns off MIME-sniffing on the browser, and tells the browser that the content type of the page is specified in the Content-Type header. The best practice for this header is “X-Content-Type-Options: nosniff”. This prevents the browser from interpreting non-executable files as executable scripts.

Thanks for reading! What is the most challenging part of developing secure software for you? I’d love to know. Feel free to connect on Twitter @vickieli7.

Secure Developer Challenge May 2021 was originally published in ShiftLeft Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.

*** This is a Security Bloggers Network syndicated blog from ShiftLeft Blog - Medium authored by Vickie Li. Read the original post at: