Content Security Policy

Strict-Transport-Security HTTP Response Header


Instructs the browser to always request a domain using the HTTPS protocol instead of HTTP.

Why Use HSTS?


  1. Passive Network Attacks – man in the middle attacks, HTTPS stripping attacks.
  2. Active Network Attacks – compromised DNS, evil twin domains, etc.
  3. Mixed Content Vulnerabilities – loading of an insecure resource over a secure request (eg swf)
  4. Performance – removes unnecessary redirects to HTTPS from http.
  5. Because no one types https:// in the address bar.

HSTS Directives


max-age – number of seconds policy should be kept for.
includeSubDomains – apply this policy to all subdomains of the requested host. Omit to apply policy only to current domain.

HSTS Examples


Require HTTPS for 60 seconds on current domain:

Strict-Transport-Security: max-age=60

Require HTTPS for 365 days on all subdomains:

Strict-Transport-Security: max-age=31536000; includeSubDomains

Remove HSTS Policy (including subdomains):

Strict-Transport-Security: max-age=0

How to handle HTTP Requests


Requests Over HTTP (Non Secure)
Should respond with a 301 redirect to the secure url.
Must NOT respond with Strict-Transport-Security header on non-secure HTTP requests.


Requests Over HTTPS

Should always respond with a Strict-Transport-Security header.

HSTS Browser Support


HSTS Resources

  1. HSTS Specification: https://tools.ietf.org/html/rfc6797
  2. OWASP: HTTP Strict Transport Security Cheat Sheet

X-Frame-Options


Allows the server to specify if the response content should be part of a frame, and if so from what origin.


Note: The frame-ancestors directive from the CSP Level 2 specification officially replaces this non-standard header but is not supported across all browsers. Though X-Frame-Options is not an official standard it is widely supported and can be used in conjunction with CSP.

Clickjacking


  • AKA UI Redressing
  • Attacker tricks the user into clicking on something that performs an unintended action.

X-Frame-Options Directives


  • DENY – Specifies that the requested resource should never be embedded in a frame.
  • SAMEORIGIN – Only pages on the same domain may frame the requested resource.
  • ALLOW-FROM origin – Allow a whitelisted origin to frame the requested content.

X-Frame-Options Resources


  1. http://tools.ietf.org/html/rfc7034
  2. OWASP: Clickjacking Defense Cheat Sheet

Content-Security-Policy (CSP)


HTTP Response header, allows server to control how resources are loaded.

Why Content-Security-Policy?


  • Greatly reduces success of Cross Site Scripting (XSS) attacks.
  • Report / log xss attack attempts

CSP Directives

CSP can protect against a variety of unauthorized asset types.

  • default-src all assets (including scripts)
  • script-src scripts
  • style-src stylesheets
  • img-src limit origins of images
  • connect-src XHR, WebSockets, EventSource
  • base-uri
  • font-src font files
  • form-action
  • frame-ancestors
  • plugin-types restricts the set of plugins that can be invoked
  • object-src Flash and other plugin objects
  • media-src audio and video
  • child-src nested browsing contexts sources
  • sandbox
  • report-uri

CSP Source Expressions


Source Value Meaning
* Wildcard, allows all origins.
'self' Allow same origin.
'none' Don't allow any resources of this type to load.
domain.example.com Allow a domain
*.example.com Allow all subdomains on a domain.
https://example.com Scheme specific.
https: Require https.
data: Allow data uri schemes.

unsafe-inline


  • When script-src or style-src
    are enabled inline style
    or script
    tags are disabled.
    • You can add 'unsafe-inline' to allow it, but defeats much of CSP's purpose.

unsafe-eval


  • CSP also disables unsafe dynamic code evaluation, such as the JavaScript eval() function.
    • You can add 'unsafe-eval' to a script-src directive to disable this.

CSP Reports


  • Congure a report-uri to accept CSP exception requests (POST)
  • Be notified of XSS vulnerabilities as they occur
  • Users with CSP-supported browsers make it safer for everybody

Content-Security-Policy: default-src 'self'; report-uri http://example.com/report.php

Report-only headers


  • Content-Security-Policy-Report-Only
  • Notifies you of violations, but won't take action
  • Lets you try CSP risk-free

Specify a report-uri to receive JSON violation reports
Report only: Content-Security-Policy-Report-Only

Content-Security-Policy-Report-Only: default-src 'self'; report-uri http://example.com//report.php

CSP Browser Support


CSP Resources