WackoWiki: Security Headers

https://wackowiki.org/doc     Version: 02.02.2019 12:08

Strict-Transport-Security HTTP Response Header

Instructs the browser to always request a domain using the HTTPS protocol instead of HTTP.

Why Use HSTS?

  1. Passive Network Attacks – man in the middle attacks, HTTPS stripping attacks.
  2. Active Network Attacks – compromised DNS, evil twin domains, etc.
  3. Mixed Content Vulnerabilities – loading of an insecure resource over a secure request (eg swf)
  4. Performance – removes unnecessary redirects to HTTPS from http.
  5. Because no one types https:// in the address bar.

HSTS Directives

max-age – number of seconds policy should be kept for.
includeSubDomains – apply this policy to all subdomains of the requested host. Omit to apply policy only to current domain.

HSTS Examples

Require HTTPS for 60 seconds on current domain:
Strict-Transport-Security: max-age=60

Require HTTPS for 365 days on all subdomains:
Strict-Transport-Security: max-age=31536000; includeSubDomains

Remove HSTS Policy (including subdomains):
Strict-Transport-Security: max-age=0

How to handle HTTP Requests

Requests Over HTTP (Non Secure)
Should respond with a 301 redirect to the secure url.
Must NOT respond with Strict-Transport-Security header on non-secure HTTP requests.

Requests Over HTTPS
Should always respond with a Strict-Transport-Security header.

HSTS Browser Support

HSTS Resources

  1. HSTS Specification: https://tools.ietf.org/html/rfc6797
  2. OWASP: HTTP Strict Transport Security Cheat Sheet[link1]


X-Content-Type-Options stops a browser from trying to MIME-sniff the content type and forces it to stick with the declared content-type. The only valid value for this header is X-Content-Type-Options: nosniff.

X-Content-Type-Options Resources

  1. https://developer.mozilla.org/[...]Content-Type-Options[link2]


Allows the server to specify if the response content should be part of a frame, and if so from what origin.

Note: The frame-ancestors directive from the CSP Level 2 specification officially replaces this non-standard header but is not supported across all browsers. Though X-Frame-Options is not an official standard it is widely supported and can be used in conjunction with CSP.


X-Frame-Options Directives

X-Frame-Options Resources

  1. http://tools.ietf.org/html/rfc7034
  2. OWASP: Clickjacking Defense Cheat Sheet[link3]

Content-Security-Policy (CSP)

HTTP Response header, allows server to control how resources are loaded.

Why Content-Security-Policy?

CSP Directives

CSP can protect against a variety of unauthorized asset types.

CSP Source Expressions

Source Value Meaning
* Wildcard, allows all origins.
'self' Allow same origin.
'none' Don't allow any resources of this type to load.
domain.example.com Allow a domain
*.example.com Allow all subdomains on a domain.
https://example.com Scheme specific.
https: Require https.
data: Allow data uri schemes.



CSP Reports

Content-Security-Policy: default-src 'self'; report-uri http://example.com/report.php

Report-only headers

Specify a report-uri to receive JSON violation reports
Report only: Content-Security-Policy-Report-Only

Content-Security-Policy-Report-Only: default-src 'self'; report-uri http://example.com/report.php

CSP Browser Support

CSP Resources

Referrer Policy

The Referrer-Policy HTTP header governs which referrer information, sent in the Referer header, should be included with requests made.

Why Referrer Policy?

  1. Privacy
  2. Security
  3. Trackback

Referrer Policy Directives

  1. no-referrer – Do not send a HTTP Referer header.
  2. no-referrer-when-downgrade – Send the origin as a referrer to URLs as secure as the current page, (https→https), but does not send a referrer to less secure URLs (https→http). This is the default behaviour.
  3. same-origin – A referrer will be sent for same-site origins, but cross-origin requests will contain no referrer information.
  4. origin – Send the origin of the document.
  5. strict-origin – Only send the origin of the document as the referrer to a-priori as-much-secure destination (HTTPS->HTTPS), but don't send it to a less secure destination (HTTPS->HTTP).
  6. origin-when-cross-origin – Send the full URL (stripped of parameters) for same-origin requests, but only send the origin for other cases.
  7. strict-origin-when-cross-origin – Send a full URL when performing a same-origin request, only send the origin of the document to a-priori as-much-secure destination (HTTPS->HTTPS), and send no header to a less secure destination (HTTPS->HTTP).
  8. unsafe-url – Send the full URL (stripped of parameters) for same-origin or cross-origin requests.

Browser Support

Referrer Policy Resources


Header Analyser

Analyse the security of your HTTP response headers.

CSP Analyser

Analyse the Content Security Policy of your site or any other site.

CSP Builder

Quickly and easily build your own Content Security Policy.

CSP Hash

Generate a hash of your JS or CSS to include in your CSP.

SRI Hash Generator

Generate a SRI tag for externally loaded assets.