Security Headers
1. Strict-Transport-Security HTTP Response Header
Instructs the browser to always request a domain using the HTTPS protocol instead of HTTP.
1.1. Why Use HSTS?
- Passive Network Attacks - man in the middle attacks, HTTPS stripping attacks.
- Active Network Attacks - compromised DNS, evil twin domains, etc.
- Mixed Content Vulnerabilities - loading of an insecure resource over a secure request (eg swf)
- Performance - removes unnecessary redirects to HTTPS from http.
- Because no one types https:// in the address bar.
1.2. HSTS Directives
max-age
- number of seconds policy should be kept for.includeSubDomains
- apply this policy to all subdomains of the requested host. Omit to apply policy only to current domain.1.3. HSTS Examples
Require HTTPS for 60 seconds on current domain:
Strict-Transport-Security: max-age=60
Require HTTPS for 365 days on all subdomains:
Strict-Transport-Security: max-age=31536000; includeSubDomains
Remove HSTS Policy (including subdomains):
Strict-Transport-Security: max-age=0
1.4. How to handle HTTP Requests
Requests Over HTTP (Non Secure)
Must NOT respond with Strict-Transport-Security header on non-secure HTTP requests.
Requests Over HTTPS
1.5. HSTS Browser Support
1.6. HSTS Resources
- HSTS Specification: https://tools.ietf.org/html/rfc6797
- OWASP: HTTP Strict Transport Security Cheat Sheet
2. X-Content-Type-Options
X-Content-Type-Options stops a browser from trying to MIME-sniff the content type and forces it to stick with the declared content-type. The only valid value for this header is X-Content-Type-Options: nosniff
.
2.1. X-Content-Type-Options Resources
3. X-Frame-Options
Allows the server to specify if the response content should be part of a frame, and if so from what origin.
Note: The frame-ancestors
directive from the CSP Level 2 specification officially replaces this non-standard header but is not supported across all browsers. Though X-Frame-Options is not an official standard it is widely supported and can be used in conjunction with CSP.
3.1. Clickjacking
- AKA UI Redressing
- Attacker tricks the user into clicking on something that performs an unintended action.
3.2. X-Frame-Options Directives
-
DENY
- Specifies that the requested resource should never be embedded in a frame. -
SAMEORIGIN
- Only pages on the same domain may frame the requested resource. -
ALLOW-FROM origin
- Allow a whitelisted origin to frame the requested content.
3.3. X-Frame-Options Resources
4. Content-Security-Policy (CSP)
HTTP Response header, allows server to control how resources are loaded.
4.1. Why Content-Security-Policy?
- Greatly reduces success of Cross Site Scripting (XSS) attacks.
- Report / log xss attack attempts
4.2. CSP Directives
CSP can protect against a variety of unauthorized asset types.
-
default-src
– all assets (including scripts) -
base-uri
– -
connect-src
– XHR, WebSockets, EventSource -
font-src
– font files -
form-action
– -
frame-ancestors
– -
frame-src
– nested browsing contexts sources -
img-src
– limit origins of images -
media-src
– audio and video -
object-src
– Flash and other plugin objects -
plugin-types
– restricts the set of plugins that can be invoked -
report-uri
– -
sandbox
– preventing popups, the execution of plugins and scripts, and enforcing a same-origin policy -
script-src
– scripts -
script-src-attr
– -
script-src-elem
– -
style-src
– stylesheets
4.3. CSP Source Expressions
Source Value | Meaning |
---|---|
* | Wildcard, allows all origins. |
'self' | Allow same origin. |
'none' | Don't allow any resources of this type to load. |
domain.example.com | Allow a domain |
*.example.com | Allow all subdomains on a domain. |
https://example.com | Scheme specific. |
https: | Require https. |
data: | Allow data uri schemes. |
4.4. unsafe-inline
- When
script-src
orstyle-src
are enabled inlinestyle
orscript
tags are disabled.
- You can add
'unsafe-inline'
to allow it, but defeats much of CSP's purpose.
- You can add
4.5. unsafe-eval
- CSP also disables unsafe dynamic code evaluation, such as the JavaScript eval() function.
- You can add
'unsafe-eval'
to a script-src directive to disable this.
- You can add
4.6. CSP Reports
- Congure a report-uri to accept CSP exception requests (POST)
- Be notified of XSS vulnerabilities as they occur
- Users with CSP-supported browsers make it safer for everybody
Content-Security-Policy: default-src 'self'; report-uri http://example.com/report.php
4.6.1. Report-only headers
- Content-Security-Policy-Report-Only
- Notifies you of violations, but won't take action
- Lets you try CSP risk-free
report-uri
to receive JSON violation reportsReport only:
Content-Security-Policy-Report-Only
Content-Security-Policy-Report-Only: default-src 'self'; report-uri http://example.com/report.php
4.7. CSP Browser Support
4.8. CSP Resources
- CSP quick reference
- W3C: Content Security Policy Level 2
- W3C: Content Security Policy Level 3
- OWASP: Content Security Policy Cheat Sheet
- Mozilla: CSP policy directives
5. Permissions-Policy
A security mechanism that allows developers to explicitly enable or disable various powerful browser features for a given site.
- W3C: https://www.w3.org/TR/permissions-policy-1/
- W3C: Permissions Policy Explainer
- https://w3c.github.io/permissions/
5.1. Permissions Policy Browser Support
6. Referrer Policy
The Referrer-Policy HTTP header governs which referrer information, sent in the Referrer header, should be included with requests made.
6.1. Why Referrer Policy?
- Privacy -
- Security
- Trackback
6.2. Referrer Policy Directives
-
no-referrer
- Do not send a HTTP Referrer header. -
no-referrer-when-downgrade
- Send the origin as a referrer to URLs as secure as the current page, (https→https), but does not send a referrer to less secure URLs (https→http). This is the default behaviour. -
same-origin
- A referrer will be sent for same-site origins, but cross-origin requests will contain no referrer information. -
origin
- Send the origin of the document. -
strict-origin
- Only send the origin of the document as the referrer to a-priori as-much-secure destination (HTTPS->HTTPS), but don't send it to a less secure destination (HTTPS->HTTP). -
origin-when-cross-origin
- Send the full URL (stripped of parameters) for same-origin requests, but only send the origin for other cases. -
strict-origin-when-cross-origin
- Send a full URL when performing a same-origin request, only send the origin of the document to a-priori as-much-secure destination (HTTPS->HTTPS), and send no header to a less secure destination (HTTPS->HTTP). -
unsafe-url
- Send the full URL (stripped of parameters) for same-origin or cross-origin requests.
6.3. Browser Support
6.4. Referrer Policy Resources
- W3C: Referrer Policy Specifications
- Mozilla: Referrer-Policy
- https://developer.mozilla.org/[...]eb/HTML/Element/meta
7. Tools
7.1. Header Analyser
Analyse the security of your HTTP response headers.
7.2. CSP Analyser
Analyse the Content Security Policy of your site or any other site.
7.3. CSP Builder
Quickly and easily build your own Content Security Policy.
7.4. CSP Hash
Generate a hash of your JS or CSS to include in your CSP.
7.5. SRI Hash Generator
Generate a SRI tag for externally loaded assets.