Thursday, August 9, 2018

HTTP Security Headers

Intro


HTTP security headers provide yet another layer of security by helping to mitigate attacks and security vulnerabilities.

When a user visits a site through his/her browser, the server responds with HTTP Response Headers. These headers tell the browser how to behave during communication with the site. These headers mainly comprise of metadata.

For example, by using the strict-transport-security you can force the browser to communicate solely over HTTPS.


HTTP Strict Transport Security (HSTS)


HTTP Strict Transport Security () is a web security policy mechanism which helps to protect websites against protocol downgrade attacks and cookie hijacking. It allows web servers to declare that web browsers (or other complying user agents) should only interact with it using secure HTTPS connections, and never via the insecure HTTP protocol.

A server implements an HSTS policy by supplying a header (Strict-Transport-Security) over an HTTPS connection (HSTS headers over HTTP are ignored).

Values

Value
Description
max-age=SECONDS
The time, in seconds, that the browser should remember that this site is only to be accessed using HTTPS.
includeSubDomains
If this optional parameter is specified, this rule applies to all of the site's subdomains as well.
preload
Google maintains a service that hardcodes your site as being HTTPS only into browsers. This way, a user doesn’t even have to visit your site: their browser already knows it should reject unencrypted connections. Getting off that list is hard, by the way, so only turn it on if you know you can support HTTPS forever on all your subdomains.

Example

Strict-Transport-Security: max-age=31536000 ; includeSubDomains

X-Frame-Options

X-Frame-Options response header improve the protection of web applications against Clickjacking. It declares a policy communicated from a host to the client browser on whether the browser must not display the transmitted content in frames of other web pages.

Clickjacking is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the the top level page.

Values

Value
Description
deny
No rendering within a frame.
sameorigin
No rendering if origin mismatch.
allow-from: DOMAIN
Allows rendering if framed by frame loaded from DOMAIN.

Example

X-Frame-Options: deny

X-XSS-Protection

This header enables the Cross-site scripting (XSS) filter in your browser.

XSS, is an attack where the attacker causes a page to load some malicious Javascript.

Values

Value
Description
0
Filter disabled.
1
Filter enabled. If a cross-site scripting attack is detected, in order to stop the attack, the browser will sanitize the page.
1; mode=block
Filter enabled. Rather than sanitize the page, when a XSS attack is detected, the browser will prevent rendering of the page.
1; report=report_URI
Filter enabled. The browser will sanitize the page and report the violation. This is a Chromium function utilizing CSP violation reports to send details to a URI of your choice.

Example

X-XSS-Protection: 1; mode=block

X-Content-Type-Options

Setting this header will prevent the browser from interpreting files as something else than declared by the content type in the HTTP headers.

This helps reduce the danger of drive-by downloads and helps treat the content the right way.

The X-Content-Type-Options headers instruct browsers to set the content type as instructed and never detect the type their own. You should apply this header, but double-check that you’ve set the content types correctly.

Values

Value
Description
nosniff
Will prevent the browser from MIME-sniffing a response away from the declared content-type.

Example

X-Content-Type-Options: nosniff

Content-Security-Policy (CSP)

Content Security Policy (CSP) gives you a language to define where the browser can load resources from. You can white list origins for scripts, images, fonts, stylesheets, etc. in a very granular manner. You can also compare any loaded content against a hash or signature.

A Content Security Policy (CSP) requires careful tuning and precise definition of the policy. If enabled, CSP has significant impact on the way browsers render pages (e.g., inline JavaScript disabled by default and must be explicitly allowed in policy). CSP prevents a wide range of attacks, including Cross-site scripting and other cross-site injections.

Example 

form samarait.hr where I have used Google fonts and analytics

Content-Security-Policy:

default-src 'none'; script-src 'self' https://www.googletagmanager.com https://www.google-analytics.com; style-src 'self' https://fonts.googleapis.com; font-src https://fonts.gstatic.com; img-src 'self' https://www.google-analytics.com; frame-ancestors 'none'; upgrade-insecure-requests