WackoWiki: Security Headers

https://wackowiki.org/doc     Version: 47 (02.10.2021 04:50)

Security Headers


1. Strict-Transport-Security HTTP Response Header


Instructs the browser to always request a domain using the HTTPS protocol instead of HTTP.

1.1. Why Use HSTS?


  1. Passive Network Attacks - man in the middle attacks, HTTPS stripping attacks.
  2. Active Network Attacks - compromised DNS, evil twin domains, etc.
  3. Mixed Content Vulnerabilities - loading of an insecure resource over a secure request (eg swf)
  4. Performance - removes unnecessary redirects to HTTPS from http.
  5. Because no one types https:// in the address bar.

1.2. HSTS Directives


max-age - number of seconds policy should be kept for.
includeSubDomains - apply this policy to all subdomains of the requested host. Omit to apply policy only to current domain.

1.3. HSTS Examples


Require HTTPS for 60 seconds on current domain:
Strict-Transport-Security: max-age=60

Require HTTPS for 365 days on all subdomains:
Strict-Transport-Security: max-age=31536000; includeSubDomains

Remove HSTS Policy (including subdomains):
Strict-Transport-Security: max-age=0

1.4. How to handle HTTP Requests


Requests Over HTTP (Non Secure)
Should respond with a 301 redirect to the secure url.
Must NOT respond with Strict-Transport-Security header on non-secure HTTP requests.

Requests Over HTTPS
Should always respond with a Strict-Transport-Security header.

1.5. HSTS Browser Support


1.6. HSTS Resources

  1. HSTS Specification: https://tools.ietf.org/html/rfc6797
  2. OWASP: HTTP Strict Transport Security Cheat Sheet[link1]

2. X-Content-Type-Options


X-Content-Type-Options stops a browser from trying to MIME-sniff the content type and forces it to stick with the declared content-type. The only valid value for this header is X-Content-Type-Options: nosniff.

2.1. X-Content-Type-Options Resources

  1. https://developer.mozilla.org/[...]Content-Type-Options[link2]

3. X-Frame-Options


Allows the server to specify if the response content should be part of a frame, and if so from what origin.

Note: The frame-ancestors directive from the CSP Level 2 specification officially replaces this non-standard header but is not supported across all browsers. Though X-Frame-Options is not an official standard it is widely supported and can be used in conjunction with CSP.

3.1. Clickjacking


3.2. X-Frame-Options Directives


3.3. X-Frame-Options Resources


  1. http://tools.ietf.org/html/rfc7034
  2. OWASP: Clickjacking Defense Cheat Sheet[link3]

4. Content-Security-Policy (CSP)


HTTP Response header, allows server to control how resources are loaded.

4.1. Why Content-Security-Policy?


4.2. CSP Directives

CSP can protect against a variety of unauthorized asset types.

4.3. CSP Source Expressions


Source Value Meaning
* Wildcard, allows all origins.
'self' Allow same origin.
'none' Don't allow any resources of this type to load.
domain.example.com Allow a domain
*.example.com Allow all subdomains on a domain.
https://example.com Scheme specific.
https: Require https.
data: Allow data uri schemes.

4.4. unsafe-inline


4.5. unsafe-eval


4.6. CSP Reports



Content-Security-Policy: default-src 'self'; report-uri http://example.com/report.php

4.6.1. Report-only headers



Specify a report-uri to receive JSON violation reports
Report only: Content-Security-Policy-Report-Only

Content-Security-Policy-Report-Only: default-src 'self'; report-uri http://example.com/report.php

4.7. CSP Browser Support


4.8. CSP Resources


5. Permissions-Policy

A security mechanism that allows developers to explicitly enable or disable various powerful browser features for a given site.

5.1. Permissions Policy Browser Support



6. Referrer Policy

The Referrer-Policy HTTP header governs which referrer information, sent in the Referrer header, should be included with requests made.

6.1. Why Referrer Policy?


  1. Privacy -
  2. Security
  3. Trackback

6.2. Referrer Policy Directives


  1. no-referrer - Do not send a HTTP Referrer header.
  2. no-referrer-when-downgrade - Send the origin as a referrer to URLs as secure as the current page, (https→https), but does not send a referrer to less secure URLs (https→http). This is the default behaviour.
  3. same-origin - A referrer will be sent for same-site origins, but cross-origin requests will contain no referrer information.
  4. origin - Send the origin of the document.
  5. strict-origin - Only send the origin of the document as the referrer to a-priori as-much-secure destination (HTTPS->HTTPS), but don't send it to a less secure destination (HTTPS->HTTP).
  6. origin-when-cross-origin - Send the full URL (stripped of parameters) for same-origin requests, but only send the origin for other cases.
  7. strict-origin-when-cross-origin - Send a full URL when performing a same-origin request, only send the origin of the document to a-priori as-much-secure destination (HTTPS->HTTPS), and send no header to a less secure destination (HTTPS->HTTP).
  8. unsafe-url - Send the full URL (stripped of parameters) for same-origin or cross-origin requests.

6.3. Browser Support


6.4. Referrer Policy Resources


7. Tools

7.1. Header Analyser


Analyse the security of your HTTP response headers.

7.2. CSP Analyser


Analyse the Content Security Policy of your site or any other site.

7.3. CSP Builder


Quickly and easily build your own Content Security Policy.

7.4. CSP Hash


Generate a hash of your JS or CSS to include in your CSP.

7.5. SRI Hash Generator


Generate a SRI tag for externally loaded assets.