HTTP Security Headers do not prevent server-side attacks, but they do help mitigate some client-side attacks, within browsers that support the headers.
- https://www.owasp.org/index.php/OWASP_Secure_Headers_Project
- https://geekflare.com/http-header-implementation/
Instructs the browsers when and how to set cookies. It helps to prevent man-in-the-middle (MitM) attacks, Cross Site Request Forgery (CSRF), session hijacking, and session fixation.
Example
Set-Cookie: Secure, SameSite
Vulnerability
- https://en.wikipedia.org/wiki/Session_hijacking
- https://www.owasp.org/index.php/Session_hijacking_attack
- https://en.wikipedia.org/wiki/Session_fixation
Documentation
- https://en.wikipedia.org/wiki/HTTP_cookie
- https://tools.ietf.org/html/rfc6265
- https://blog.webf.zone/ultimate-guide-to-http-cookies-2aa3e083dbae
Browser Support
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie
- https://docs.microsoft.com/en-us/windows/desktop/wininet/http-cookies
Instructs browsers when to set the Referrer Header during requests. This helps prevent referrer spoofing, and information disclosure.
Example
Referrer-Policy: strict-origin
Vulnerability
Documentation
- https://scotthelme.co.uk/a-new-security-header-referrer-policy/
- https://en.wikipedia.org/wiki/HTTP_referer
- https://www.w3.org/TR/referrer-policy/
Browser Support
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
- https://developer.mozilla.org/en-US/docs/Web/Security/Referer_header:_privacy_and_security_concerns
- https://developer.microsoft.com/en-us/microsoft-edge/platform/issues/7119603/
Prevents browsers from sending AJAX requests to unapproved domains, preventing XSS and Cross-Site Request Forgery (CSRF).
Example
Access-Control-Allow-Origin: https://www.example.com
Vulnerability
Documentation
- https://en.wikipedia.org/wiki/Cross-origin_resource_sharing
- https://mobilejazz.com/blog/which-security-risks-do-cors-imply/
- https://www.moesif.com/blog/technical/cors/Authoritative-Guide-to-CORS-Cross-Origin-Resource-Sharing-for-REST-APIs/
Browser Support
- https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
- https://blogs.technet.microsoft.com/applicationproxyblog/2018/05/02/understanding-cors-issues/
This helps prevent "click-jacking," where a webpage is embedded into an IFRAME on another attacker controlled website, and tricks the user into clicking. This header lets the owner of the website decide which sites are allowed to iframe their webpages.
Example
X-Frame-Options: SAMEORIGIN
Vulnerability
- https://www.owasp.org/index.php/Clickjacking
- https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet
Documentation
- https://tools.ietf.org/html/rfc7034
- https://www.keycdn.com/blog/x-frame-options
- https://www.ibm.com/support/knowledgecenter/en/SSZLC2_8.0.0/com.ibm.commerce.admin.doc/tasks/tseiframerestrictxframe.htm
Browser Support
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
- https://blogs.msdn.microsoft.com/ieinternals/2010/03/30/combating-clickjacking-with-x-frame-options/
This will enable browser XSS protection.
Example
X-XSS-Protection: 1; mode=block
Vulnerability
- https://en.wikipedia.org/wiki/Cross-site_scripting
- https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
- https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
Documentation
- https://scotthelme.co.uk/hardening-your-http-response-headers/
- https://www.keycdn.com/blog/x-xss-protection
- http://docs.w3cub.com/http/headers/x-xss-protection/
- https://www.veracode.com/blog/2014/03/guidelines-for-setting-security-headers
Browser Support
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
- https://blogs.msdn.microsoft.com/ieinternals/2011/01/31/controlling-the-xss-filter/
This helps mitigate a "content sniffing" attack, where an attacker will claim to be sending a non-malicious filetype such as an image, but then send malicious javascript to perform Cross Site Scripting (XSS).
Example
X-Content-Type-Options: nosniff
Vulnerability
Documentation
- http://docs.w3cub.com/http/headers/x-content-type-options/
- https://www.keycdn.com/support/x-content-type-options
- https://tools.ietf.org/html/draft-hodges-websec-framework-reqs-02
Browser Support
Mitigate Cross Site Scripting (XSS) attacks, by whitelisting allowed local and remote source of javascript, css, images, video, and other files.
Example
Content-Security-Policy: default-src 'self'
Documentation
- https://content-security-policy.com/
- https://en.wikipedia.org/wiki/Content_Security_Policy
- https://upload.wikimedia.org/wikipedia/commons/0/09/ContentSecurityPolicy3_diagram.png
- https://w3c.github.io/webappsec-csp/
- https://www.keycdn.com/support/content-security-policy
Browser support
- https://caniuse.com/#search=content%20security%20policy
- https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
- https://developers.google.com/web/fundamentals/security/csp/
Prevents web browsers from accessing a website over HTTP, and helps prevent SSL downgrade attacks. This also helps prevent the browser from allowing the user to overriding SSL certificate warnings.
Example
Strict-Transport-Security: max-age=31536000;
Vulnerability
- https://tlseminar.github.io/downgrade-attacks/
- https://p16.praetorian.com/blog/man-in-the-middle-tls-ssl-protocol-downgrade-attack
- https://en.wikipedia.org/wiki/Downgrade_attack
- https://cwe.mitre.org/data/definitions/757.html
Documentation
- https://www.globalsign.com/en/blog/what-is-hsts-and-how-do-i-use-it/
- https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
- https://tools.ietf.org/html/rfc6797
- https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet
- https://developer.mozilla.org/en-US/docs/Glossary/HSTS
Browser Support
Prevents web browsers from using forged X.509 cerficiates, by caching the certificate after initially receiving it. This is only secure, assuming the user's first visit is secure.
"Public-Key-Pins-Report-Only" is the best option, as it will instruct the web browser to report to the web server whenever a certificate does not match the initially cached certificate, but the browser will not block access.
Example
public-key-pins-report-only:
max-age=500;
pin-sha256="WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18=";
pin-sha256="r/mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E=";
pin-sha256="q4PO2G2cbkZhZ82+JgmRUyGMoAeozA+BSXVXQWB8XWQ=";
report-uri=http://reports.fb.com/hpkp/
Vulnerability
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Public_Key_Pinning
- https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning
Documentation
- https://scotthelme.co.uk/hpkp-http-public-key-pinning/
- https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning
- https://blog.qualys.com/ssllabs/2016/09/06/is-http-public-key-pinning-dead
Browser Support