惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

C
Check Point Blog
S
Schneier on Security
P
Privacy & Cybersecurity Law Blog
S
Security @ Cisco Blogs
W
WeLiveSecurity
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
Microsoft Azure Blog
Microsoft Azure Blog
NISL@THU
NISL@THU
T
Troy Hunt's Blog
L
LangChain Blog
L
LINUX DO - 最新话题
T
The Exploit Database - CXSecurity.com
Engineering at Meta
Engineering at Meta
N
News and Events Feed by Topic
A
About on SuperTechFans
N
Netflix TechBlog - Medium
P
Proofpoint News Feed
MyScale Blog
MyScale Blog
Martin Fowler
Martin Fowler
Y
Y Combinator Blog
H
Heimdal Security Blog
aimingoo的专栏
aimingoo的专栏
T
Threat Research - Cisco Blogs
SecWiki News
SecWiki News
Microsoft Security Blog
Microsoft Security Blog
T
Tenable Blog
P
Proofpoint News Feed
H
Hacker News: Front Page
G
GRAHAM CLULEY
I
Intezer
V
V2EX
S
Secure Thoughts
Stack Overflow Blog
Stack Overflow Blog
H
Help Net Security
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
人人都是产品经理
人人都是产品经理
博客园 - 聂微东
Latest news
Latest news
Recent Announcements
Recent Announcements
Hugging Face - Blog
Hugging Face - Blog
腾讯CDC
博客园_首页
Webroot Blog
Webroot Blog
博客园 - 三生石上(FineUI控件)
AI
AI
N
News | PayPal Newsroom
Google DeepMind News
Google DeepMind News
Security Archives - TechRepublic
Security Archives - TechRepublic
B
Blog RSS Feed
美团技术团队

Datadog | The Monitor blog

Introducing our open source AI-native SAST Instrument and monitor Boomi integration flows with OpenTelemetry and Datadog Not all index scans are equal: How we cut query latency by over 99% Platform engineering metrics: What to measure and what to ignore Integrate Recorded Future threat intelligence with Datadog Cloud SIEM CI/CD security: threat modeling using a MITRE-style threat matrix CI/CD security: How to secure your GitHub ecosystem Ingress NGINX is EOL: A practical guide for migrating to Kubernetes Gateway API Operating agentic AI with Amazon Bedrock AgentCore and Datadog LLM Observability: Lessons from NTT DATA Introducing the Datadog Code Security MCP Capture and analyze custom heatmaps in Session Replay Understand session replays faster with AI summaries and smart chapters Monitor ClickHouse query performance with Datadog Database Monitoring How we designed empathetic alert sounds for on-call engineers Search and act across Datadog to resolve issues faster with Bits Assistant Measure the business impact of every product change with Datadog Experiments Analyzing round trip query latency Configuring JavaScript caches for better performance Introducing Bits AI Dev Agent for Code Security Datadog achieves ISO 42001 certification for responsible AI Monitor Nutanix clusters, hosts, and VMs with Datadog Monitor Juniper Mist in Datadog A new Host Map for modern infrastructure Annotate traces to improve LLM quality with Datadog LLM Observability What’s new in Cloud SIEM: AI-powered investigations, enhanced threat intelligence, and scalable security operations Explore Kubernetes with native OpenTelemetry data Monitor Oracle Fusion Cloud Applications with Datadog Announcing the Datadog Terraform provider v4.0.0 Scaling Kubernetes workloads on custom metrics How to design cloud environments for AI-powered threat analysis Monitor Aruba Central in Datadog How we centralize and remediate risks with Datadog Case Management Accelerate incident response with Datadog and ServiceNow Monitor your application and network load balancer logs Understanding Karpenter architecture for Kubernetes autoscaling Tools for collecting metrics and logs from Karpenter Monitor Karpenter with Datadog What your product data is actually saying Key metrics for monitoring Karpenter Securing Datadog’s platform in the AI age: The role of observability data Four ways engineering teams use the Datadog MCP Server to power AI agents Approaching your observability migration with the right mindset Meet the new Bits AI SRE: Deeper reasoning, twice as fast Key learnings from the 2026 State of DevSecOps study Use plain English to query your multi-cloud infrastructure in Resource Catalog Simplifying troubleshooting across the user journey with Datadog Synthetic Monitoring Protect your OCI resources with Datadog Cloud Security This Month in Datadog - February 2026 Amazon EC2 security: How misconfigured and public AMIs expand your cloud attack surface Enable end-to-end visibility into your Java apps with a single command Measure and improve mobile app startup performance with Datadog RUM Evaluating our AI Guard application to improve quality and control cost Identify untested code across every level of your codebase Make use of guardrail metrics and stop babysitting your releases Monitor Versa Networks SD-WAN performance in Datadog Improve performance and reliability with APM Recommendations Remediate transitive vulnerabilities faster with Datadog Software Composition Analysis Generate audit-ready vulnerability and compliance reports with Datadog Sheets Monitor Fortinet FortiManager performance in Datadog Improve test coverage across codebases with Datadog Code Coverage Move fast, don’t break things: Consistent testing standards at scale Enrich logs with ServiceNow CMDB context before routing to any SIEM or logging tool Monitor Lustre with Datadog Make faster, better product decisions with Datadog Product Analytics Surface and remediate runtime posture issues with Workload Protection Findings Protect agentic AI applications with Datadog AI Guard How to optimize JavaScript code with CSS Trace Google Pub/Sub workloads in Cloud Run with Datadog Detect human names in logs with ML in Sensitive Data Scanner How we cut our NLQ agent debugging time from hours to minutes with LLM Observability Debug PostgreSQL query latency faster with EXPLAIN ANALYZE in Datadog Database Monitoring Datadog acquires Propolis Unify and correlate frontend and backend data with retention filters Scale compliance across global frameworks with Datadog Cloud Security Monitor Arista VeloCloud SD-WAN performance with Datadog Building reliable dashboard agents with Datadog LLM Observability Simplify log collection and aggregation for MSSPs with Datadog Observability Pipelines Mitigation for Node.js denial-of-service vulnerability affecting Datadog APM Automate flaky test fixes with the Bits AI Dev Agent and Test Optimization How we built an AI SRE agent that investigates like a team of engineers Datadog integrations 2025 recap: Observability for AI, security, and hybrid cloud Design effective executive dashboards with Datadog Implement dbt data quality checks with dbt-expectations Bring faster visibility into AWS Lambda functions with remote instrumentation Troubleshoot faster with the GitLab Source Code integration in Datadog How Cambia Health Solutions saved $30,000 monthly with Cloud Cost Management and the Datadog Resource Catalog Normalize any logs for Cloud SIEM with Datadog's OCSF processor Optimizing Datadog at scale: Cost-efficient observability at Zendesk Detect, diagnose, and resolve network issues easily with CNM Network Health Connect engineering errors to user impact in early-stage products Cilium configuration for Kubernetes operations at scale Designing feedback loops for progressive delivery Ship features faster and safer with Datadog Feature Flags Choosing the right OpenTelemetry Collector distribution Route your monitor alerts with Datadog monitor notification rules Automate Cloud SIEM investigations with Bits AI Security Analyst Cloud threat detection: How to identify risky activity across control and data planes Collecting Kafka performance metrics Monitoring Kafka with Datadog Monitoring Kafka performance metrics
How to secure HTTP headers with synthetic tests
2025-03-24 · via Datadog | The Monitor blog
Addie Beach

Addie Beach

HTTP headers are a crucial part of web app network communication. These headers are fields within HTTP responses and requests that provide specifications for activities like data handling and session verification, helping clients and servers effectively relay messages to each other. They often contain a wealth of valuable information, including client IP addresses, authorization credentials, and device model details.

Because of the importance of HTTP headers and the variety of data that they contain, they’re often a key target for attackers, who may attempt to access these headers to learn more about their targets, steal sensitive data, or manipulate user sessions. To combat this, you can configure security-focused HTTP header fields that help define how your app transmits data, loads resources, and executes scripts, making it harder for attackers to compromise your system.

Knowing which headers need to be configured for your app and making sure that they’re implemented correctly can be difficult. Synthetic testing helps you address these challenges by enabling you to check your security header configuration and see how it handles a wide variety of use cases. As a result, you can spot potential weak points in your app, better secure your existing headers, and configure new ones as necessary.

In this post, we’ll explore:

Attackers can take advantage of insecure HTTP headers to breach apps in many different ways. For example, if a header doesn’t validate input properly, attackers can inject it with content such as malicious code. Alternatively, if an HTTP header doesn’t encrypt its response or request data, attackers may be able to simply eavesdrop on network communications. A few of the attacks that often take advantage of insecure headers are listed below:

Type of attackMethod of attackPotential consequences
Cross-site scripting (XSS)Injecting app components with code that penetrates the victim’s browserThe attacker is able to access information about user sessions, including cookies and authentication tokens, and pose as their victims to bypass authentication measures. They can also redirect from or manipulate app content.
Web-cache poisoningInjecting malicious data into the web cache system on a serverThe attacker can make it appear that an app is down, redirect users to websites designed to steal their information, or download malware onto their devices.
ClickjackingRendering content within a compromised frame contains hidden links or buttonsThe attacker can make it appear that an app is down, redirect users to websites designed to steal their information, or download malware onto their devices.
Man-in-the-middle (MITM)Eavesdropping on unencrypted client-server communications through methods such as sniffingThe attacker is able to steal sensitive user data, often security credentials, payment details, or personally identifiable information (PII).

To prevent attacks such as these, you can configure specific headers to secure different aspects of your app. The security headers that are the most relevant for your use cases may differ based on the types of content and resources you handle. For instance, there are certain headers that every app should use to protect against the most common attacks. These include X-Content-Type-Options to prevent your app from executing certain scripts and carrying out XSS attacks, HTTP Strict Transport Security (HSTS) to encrypt your data, and X-Frame-Options to prevent your content from being embedded into compromised frames. However, apps that handle sensitive data, such as PII, may want to also implement more advanced headers. These can include Content-Security-Policy and Trusted Types, which provide extra protection against XSS attacks.

In most cases, you can configure security headers by adding them to a web server configuration file. If you don’t have access to these files—which is common when using a shared hosting service—you may be able to use an alternative, like an .htaccess file, instead.

You’ll want to customize your header setup to maintain a good balance between securing your app without severely impacting app functionality or performance. For example, configuring the X-Frame-Options header enables you to prevent clickjacking attacks by limiting the ability of your app to render content within frames. If your app doesn’t use any frames, you’ll likely want to use the strictest option and prevent any content framing:

NGINXApache
add_header X-Frame-Options “DENY” always;Header always set X-Frame-Options “DENY”

However, if your app does incorporate frames, you may instead want to restrict frame use according to a same-origin policy:

NGINXApache
add_header X-Frame-Options “SAMEORIGIN” always;Header always set X-Frame-Options “SAMEORIGIN”

Additionally, for more granular customization options, you may want to use a more modern alternative to X-Frame-Options—the Content Security Policy frame-ancestors directive—instead. frame-ancestors enables you to define specific trusted sources to allow frame embedding from:

NGINXApache
add_header Content-Security-Policy “frame-ancestors ‘self’ https://example.com;”;Header always set Content-Security-Policy “frame-ancestors ‘self’ https://example.com;”

You may want to use both X-Frame-Options and frame-ancestors together, as the former is more likely to be supported by older browsers, while the latter offers a better experience for modern browsers. Note that when implemented together (and both are supported), browsers will ignore X-Frame-Options in favor of frame-ancestors.

Given the long list of configuration best practices recommended for security headers, making sure that the most relevant headers for your app have been added and implemented correctly can be challenging. By enabling you to test how your app transmits header data and handles user security, synthetic testing can help you detect potential gaps in your security header strategy.

Datadog Synthetic Monitoring provides out-of-the-box templates that enable you to quickly check security header configuration for your app. You can use the Security Headers template to quickly determine whether your application has a few key headers properly implemented, including X-Content-Type-Options, X-Frame-Options, Content-Security-Policy, and HSTS.

Code showing default security header checks for a test created with the Security Headers template.

You can also easily customize the default security header code when creating your test to add or remove specific headers. For example, many browsers automatically restrict cross-origin resource sharing (CORS) to prevent cross-site request forgery (CSRF) attacks, where a bad actor uses session information to pose as a victim and execute certain actions. Let’s say your app does need to access cross-origin resources—to load TrueType fonts or WebGL textures, for instance. In this case, you’ll want to enable CORS headers to safely load resources from certain websites. To add a check for the recommended CORS configuration in the Security Headers template for these headers, you can add the following code:

dd.expect(dd.response.headers).to.have.property(‘access-control-allow-origin’);

const hAcao = dd.response.headers[“access-control-allow-origin”];

dd.expect(hAcao).to.equal("https://example.com");

dd.expect(dd.response.headers).to.have.property(‘access-control-allow-credentials’);

const hAcac = dd.response.headers[“access-control-allow-credentials”];

dd.expect(hAcac).to.equal("true");

Alternatively, using the Information Disclosure template, you can easily detect misconfigurations that could leave your app vulnerable to security disclosure attacks. Tests created with this template will provide you with recommendations for protecting your app data, such as removing the X-Powered-By and Server headers to hide key server information.

Customizing security headers can help protect your app against a number of attacks. However, actually knowing which ones to configure and how can be a challenge. Synthetic testing helps you ensure that these headers are implemented correctly and aren’t exposing key information or entry points for attackers. This is a particularly critical step for organizations that handle sensitive data or have to otherwise meet strict compliance requirements.

You can get started with Datadog Synthetic Monitoring using our documentation. Or, if you’re not yet a Datadog user, you can sign up for a 14-day free trial.