| Chapter | Details |
| Partner | Goce Delcev University |
| Title | Web Application Security: Configuring HTTP Security Headers |
| Service | [Insert Service Identifier] |
| Target Group | Web administrators and web developers who are employed in the public and private sector |
| Format | Workshop |
| Focused on Key Technologies | Web servers like Apache, Nginx, IIS.
Tools like SecurityHeaders, HTTP Observatory, web application vulnerability scanners like OWASP ZAP, Lighthouse extension for Google Chrome |
| Status | Ready to offer |
| Stakeholders from SME/PA Side | Public and private sector in Republic of N. Macedonia |
| Requirements for Participation | Computer engineers, electrical engineers, people with experience as web administrators, web programmers, students of computer science and electrical engineering faculties, all interested in web application security. |
| Estimated Duration | One day, 4×45 minutes. |
Description of the Course
Introduction: During 2024 an analysis of HTTP security headers implementation in different categories of Macedonian websites is made [1]. It is discovered a significant lack of their implementation and/or misconfiguration in all categories. Almost half of the websites have a F grade, while more than a quarter have a minimal security score of 0. It is critical to understand and implement properly HTTP security headers to prevent or limit the danger from website attacks such as XSS, CSRF, SQL Injection, clickjacking, etc.
Technical Context and Examples:
Objective 1: Learning and understanding the importance of implementation and proper configuration of HTTP security headers, with practical demonstration in the Apache web server.
Objective 2: Learning to use tools that can help in the improvement of web application security, such as those for checking configuration of HTTP security headers, for testing web application vulnerabilities, etc.
Within the course, participants will be introduced to HTTP security headers such as: Content Security Policy, Cookies, Cross-origin Resource Sharing, HTTP Strict Transport Security, Redirection, Referrer Policy, Subresource Integrity, X-Content-Type-Options and X-Frame-Options. They will learn to properly configure them in the Apache web server and to test them by using tools, like [2] and [3]. Тhey will learn how to test web application vulnerabilities [4] by using tools like OWASP ZAP.
Detailed Explanation of Core Concepts: While many trainings cover general web security topics (e.g., SQL injection, XSS), this training specifically focuses on HTTP security headers, which are a powerful yet underutilized tool for securing web applications. The course emphasizes practical implementation rather than just theoretical knowledge. Participants will work with real-world tools and configurations. Also, labs are designed in an interactive way, because participants can practice configuring HTTP headers and testing their effectiveness. The training addresses modern security challenges also, such as implementing Content Security Policy for dynamic web applications, and protecting against emerging threats like cross-origin attacks.
Conclusion and Unique Value: Taking into account our research, we decided to raise the awarness about the obtained results and to help the public sector in Republic of N. Macedonia to improve the security of its websites. The unique value of the training lies in its practical, hands-on approach to a critical aspect of web security that is often overlooked or misunderstood. The training combines focused content (HTTP headers), practical interactive labs, and real-world tools into a single, cohesive learning experience. It is designed to be accessible to both beginners and experienced developers and web administrators.
Additional Course Information
| Category | Details |
| Value of Service | Participants will acquire knowledge and skills, including: |
| Skill 1: learning and understanding the importance of implementation and proper configuration of HTTP security headers.
Skill 2: applying the correct configuration of HTTP security headers in the Apache web server Skill 3: using tools for checking the configuration of HTTP security headers, as well as tools for testing web applications vulnerabilities |
|
| Learning Methods Used | Mix of lectures and hands-on exercises, together with group discussions |
| References/Resources | [1] Aleksandra Mileva, Dushan Bikov, Bojana Tasheva, Aleksandra Brashnarova (2025) HTTP Security Headers Analysis of Several Macedonian Website Categories. Computer Science Journal of Moldova, vol. 33, no. 1(97) (accepted).
[2] SecurityHeaders [3] HTTP Observatory [4] OWASP Top Ten |
| Overview Slides |