Intro
HTTP
security headers provide yet another layer of security by helping to mitigate
attacks and security vulnerabilities.
When a user
visits a site through his/her browser, the server responds with HTTP Response
Headers. These headers tell the browser
how to behave during communication with the site. These headers mainly
comprise of metadata.
For
example, by using the strict-transport-security you can force the browser to
communicate solely over HTTPS.
HTTP Strict Transport Security (HSTS)
HTTP Strict
Transport Security () is a web security policy mechanism which helps to
protect websites against protocol downgrade attacks and cookie hijacking. It allows web servers to declare that web
browsers (or other complying user agents) should only interact with it using
secure HTTPS connections, and never via the insecure HTTP protocol.
A server
implements an HSTS policy by supplying a header (Strict-Transport-Security)
over an HTTPS connection (HSTS headers over HTTP are ignored).
Values
Value
|
Description
|
max-age=SECONDS
|
The time, in
seconds, that the browser should remember that this site is only to be
accessed using HTTPS.
|
includeSubDomains
|
If this optional
parameter is specified, this rule applies to all of the site's subdomains as
well.
|
preload
|
Google maintains
a service that hardcodes your site as being HTTPS only into browsers. This
way, a user doesn’t even have to visit your site: their browser already knows
it should reject unencrypted connections. Getting off that list is hard, by
the way, so only turn it on if you know you can support HTTPS forever on all
your subdomains.
|
Example
Strict-Transport-Security: max-age=31536000 ; includeSubDomains
X-Frame-Options
X-Frame-Options response header improve the protection of web applications against Clickjacking. It declares a policy communicated from a host to the client browser on whether the browser must not display the transmitted content in frames of other web pages.
Clickjacking is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the the top level page.
Values
Value
|
Description
|
deny
|
No
rendering within a frame.
|
sameorigin
|
No
rendering if origin mismatch.
|
allow-from:
DOMAIN
|
Allows
rendering if framed by frame loaded from DOMAIN.
|
Example
X-Frame-Options: deny
X-XSS-Protection
This header
enables the Cross-site scripting (XSS) filter in your browser.
XSS, is an
attack where the attacker causes a page to load some malicious Javascript.
Values
Value
|
Description
|
0
|
Filter disabled.
|
1
|
Filter
enabled. If a cross-site scripting attack is detected, in order to stop the
attack, the browser will sanitize the page.
|
1;
mode=block
|
Filter
enabled. Rather than sanitize the page, when a XSS attack is detected, the
browser will prevent rendering of the page.
|
1;
report=report_URI
|
Filter
enabled. The browser will sanitize the page and report the violation. This is
a Chromium function utilizing CSP violation reports to send details to a URI
of your choice.
|
Example
X-XSS-Protection: 1; mode=block
X-Content-Type-Options
Setting
this header will prevent the browser from interpreting files as something else
than declared by the content type in the HTTP headers.
This helps
reduce the danger of drive-by downloads and helps treat the content the right
way.
The
X-Content-Type-Options headers instruct browsers to set the content type as
instructed and never detect the type their own. You should apply this header,
but double-check that you’ve set the content types correctly.
Values
Value
|
Description
|
nosniff
|
Will
prevent the browser from MIME-sniffing a response away from the declared
content-type.
|
Example
X-Content-Type-Options: nosniff
Content-Security-Policy (CSP)
Content
Security Policy (CSP) gives you a language to define where the browser can load
resources from. You can white list origins for scripts, images, fonts,
stylesheets, etc. in a very granular manner. You can also compare any loaded
content against a hash or signature.
A Content
Security Policy (CSP) requires careful tuning and precise definition of the
policy. If enabled, CSP has significant
impact on the way browsers render pages (e.g., inline JavaScript disabled
by default and must be explicitly allowed in policy). CSP prevents a wide range
of attacks, including Cross-site scripting and other cross-site injections.
Example
form samarait.hr where I have used Google fonts and analytics
Content-Security-Policy:
default-src 'none'; script-src 'self' https://www.googletagmanager.com https://www.google-analytics.com; style-src 'self' https://fonts.googleapis.com; font-src https://fonts.gstatic.com; img-src 'self' https://www.google-analytics.com; frame-ancestors 'none'; upgrade-insecure-requests