http security headers.md

HTTP Security Headers

Overview

HTTP Security Headers do not prevent server-side attacks, but they do help mitigate some client-side attacks, within browsers that support the headers.

• https://www.owasp.org/index.php/OWASP_Secure_Headers_Project
• https://geekflare.com/http-header-implementation/

Set-Cookie

Instructs the browsers when and how to set cookies. It helps to prevent man-in-the-middle (MitM) attacks, Cross Site Request Forgery (CSRF), session hijacking, and session fixation.

Example

Set-Cookie: Secure, SameSite

Vulnerability

• https://en.wikipedia.org/wiki/Session_hijacking
• https://www.owasp.org/index.php/Session_hijacking_attack
• https://en.wikipedia.org/wiki/Session_fixation

Documentation

• https://en.wikipedia.org/wiki/HTTP_cookie
• https://tools.ietf.org/html/rfc6265
• https://blog.webf.zone/ultimate-guide-to-http-cookies-2aa3e083dbae

Browser Support

• https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie
• https://docs.microsoft.com/en-us/windows/desktop/wininet/http-cookies

Referrer-Policy

Instructs browsers when to set the Referrer Header during requests. This helps prevent referrer spoofing, and information disclosure.

Example

Referrer-Policy: strict-origin

Vulnerability

• https://en.wikipedia.org/wiki/Referer_spoofing

Documentation

• https://scotthelme.co.uk/a-new-security-header-referrer-policy/
• https://en.wikipedia.org/wiki/HTTP_referer
• https://www.w3.org/TR/referrer-policy/

Browser Support

• https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
• https://developer.mozilla.org/en-US/docs/Web/Security/Referer_header:_privacy_and_security_concerns
• https://developer.microsoft.com/en-us/microsoft-edge/platform/issues/7119603/

Cross-Origin Resource Sharing (CORS)

Prevents browsers from sending AJAX requests to unapproved domains, preventing XSS and Cross-Site Request Forgery (CSRF).

Example

Access-Control-Allow-Origin: https://www.example.com

Vulnerability

• https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)

Documentation

• https://en.wikipedia.org/wiki/Cross-origin_resource_sharing
• https://mobilejazz.com/blog/which-security-risks-do-cors-imply/
• https://www.moesif.com/blog/technical/cors/Authoritative-Guide-to-CORS-Cross-Origin-Resource-Sharing-for-REST-APIs/

Browser Support

• https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
• https://blogs.technet.microsoft.com/applicationproxyblog/2018/05/02/understanding-cors-issues/

X-Frame-Options

This helps prevent "click-jacking," where a webpage is embedded into an IFRAME on another attacker controlled website, and tricks the user into clicking. This header lets the owner of the website decide which sites are allowed to iframe their webpages.

Example

X-Frame-Options: SAMEORIGIN

Vulnerability

• https://www.owasp.org/index.php/Clickjacking
• https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet

Documentation

• https://tools.ietf.org/html/rfc7034
• https://www.keycdn.com/blog/x-frame-options
• https://www.ibm.com/support/knowledgecenter/en/SSZLC2_8.0.0/com.ibm.commerce.admin.doc/tasks/tseiframerestrictxframe.htm

Browser Support

• https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
• https://blogs.msdn.microsoft.com/ieinternals/2010/03/30/combating-clickjacking-with-x-frame-options/

X-XSS-Protection

This will enable browser XSS protection.

Example

X-XSS-Protection: 1; mode=block

Vulnerability

• https://en.wikipedia.org/wiki/Cross-site_scripting
• https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
• https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

Documentation

• https://scotthelme.co.uk/hardening-your-http-response-headers/
• https://www.keycdn.com/blog/x-xss-protection
• http://docs.w3cub.com/http/headers/x-xss-protection/
• https://www.veracode.com/blog/2014/03/guidelines-for-setting-security-headers

Browser Support

• https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
• https://blogs.msdn.microsoft.com/ieinternals/2011/01/31/controlling-the-xss-filter/

X-Content-Type-Options

This helps mitigate a "content sniffing" attack, where an attacker will claim to be sending a non-malicious filetype such as an image, but then send malicious javascript to perform Cross Site Scripting (XSS).

Example

X-Content-Type-Options: nosniff

Vulnerability

• https://en.wikipedia.org/wiki/Content_sniffing

Documentation

• http://docs.w3cub.com/http/headers/x-content-type-options/
• https://www.keycdn.com/support/x-content-type-options
• https://tools.ietf.org/html/draft-hodges-websec-framework-reqs-02

Browser Support

• https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options

Content-Security-Policy

Mitigate Cross Site Scripting (XSS) attacks, by whitelisting allowed local and remote source of javascript, css, images, video, and other files.

Example

Content-Security-Policy: default-src 'self'

Documentation

• https://content-security-policy.com/
• https://en.wikipedia.org/wiki/Content_Security_Policy
• https://upload.wikimedia.org/wikipedia/commons/0/09/ContentSecurityPolicy3_diagram.png
• https://w3c.github.io/webappsec-csp/
• https://www.keycdn.com/support/content-security-policy

Browser support

• https://caniuse.com/#search=content%20security%20policy
• https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
• https://developers.google.com/web/fundamentals/security/csp/

HTTP Strict Transport Security (HSTS)

Prevents web browsers from accessing a website over HTTP, and helps prevent SSL downgrade attacks. This also helps prevent the browser from allowing the user to overriding SSL certificate warnings.

Example

Strict-Transport-Security: max-age=31536000; 

Vulnerability

• https://tlseminar.github.io/downgrade-attacks/
• https://p16.praetorian.com/blog/man-in-the-middle-tls-ssl-protocol-downgrade-attack
• https://en.wikipedia.org/wiki/Downgrade_attack
• https://cwe.mitre.org/data/definitions/757.html

Documentation

• https://www.globalsign.com/en/blog/what-is-hsts-and-how-do-i-use-it/
• https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
• https://tools.ietf.org/html/rfc6797
• https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet
• https://developer.mozilla.org/en-US/docs/Glossary/HSTS

Browser Support

• https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security

HTTP Public Key Pinng (HPKP)

Prevents web browsers from using forged X.509 cerficiates, by caching the certificate after initially receiving it. This is only secure, assuming the user's first visit is secure.

"Public-Key-Pins-Report-Only" is the best option, as it will instruct the web browser to report to the web server whenever a certificate does not match the initially cached certificate, but the browser will not block access.

Example

public-key-pins-report-only:
  max-age=500;
  pin-sha256="WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18=";
  pin-sha256="r/mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E=";
  pin-sha256="q4PO2G2cbkZhZ82+JgmRUyGMoAeozA+BSXVXQWB8XWQ=";
  report-uri=http://reports.fb.com/hpkp/

Vulnerability

• https://developer.mozilla.org/en-US/docs/Web/HTTP/Public_Key_Pinning
• https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning

Documentation

• https://scotthelme.co.uk/hpkp-http-public-key-pinning/
• https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning
• https://blog.qualys.com/ssllabs/2016/09/06/is-http-public-key-pinning-dead

Browser Support

• https://ordina-jworks.github.io/security/2018/02/12/HPKP-deprecated-what-now.html
• https://developer.mozilla.org/en-US/docs/Web/HTTP/Public_Key_Pinning