View source for Security Headers

{{toc numerate=1}}

===Strict-Transport-Security HTTP Response Header===

Instructs the browser to always request a domain using the HTTPS protocol instead of HTTP.

====Why Use HSTS?===

  1. **Passive Network Attacks** - man in the middle attacks, HTTPS stripping attacks. 
  1. **Active Network Attacks** - compromised DNS, evil twin domains, etc.
  1. **Mixed Content Vulnerabilities** - loading of an insecure resource over a secure request (eg swf)
  1. **Performance** - removes unnecessary redirects to HTTPS from http.
  1. **Because no one types https:// in the address bar.**

====HSTS Directives===

  ##max-age## - number of seconds policy should be kept for.
  ##includeSubDomains##  - apply this policy to all subdomains of the requested host. Omit to apply policy only to current domain.

====HSTS Examples===

Require HTTPS for 60 seconds on current domain:
  ##Strict-Transport-Security: max-age=60##

Require HTTPS for 365 days on all subdomains:
  ##Strict-Transport-Security: max-age=31536000; includeSubDomains##

Remove HSTS Policy (including subdomains):
  ##Strict-Transport-Security: max-age=0##

====How to handle HTTP Requests===

  Requests Over HTTP (Non Secure)
    Should respond with a 301 redirect to the secure url.
    Must NOT respond with Strict-Transport-Security header on non-secure HTTP requests.

  Requests Over HTTPS
    Should always respond with a Strict-Transport-Security header.

====HSTS Browser Support===

  * http://caniuse.com/stricttransportsecurity

====HSTS Resources====
  1. HSTS Specification: https://tools.ietf.org/html/rfc6797
  1. OWASP: ((https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet HTTP Strict Transport Security Cheat Sheet)) 


===X-Content-Type-Options===

X-Content-Type-Options stops a browser from trying to MIME-sniff the content type and forces it to stick with the declared content-type. The only valid value for this header is ##X-Content-Type-Options: nosniff##.

====X-Content-Type-Options Resources====
  1. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options

===X-Frame-Options===

Allows the server to specify if the response content should be part of a frame, and if so from what origin.

**Note:** The ##frame-ancestors## directive from the CSP Level 2 specification officially replaces this non-standard header but is not supported across all browsers. Though X-Frame-Options is not an official standard it is widely supported and can be used in conjunction with CSP.

====Clickjacking====

  * AKA UI Redressing
  * Attacker tricks the user into clicking on something that performs an unintended action.

====X-Frame-Options Directives====

  *  ##DENY## - Specifies that the requested resource should never be embedded in a frame.
  * ##SAMEORIGIN## - Only pages on the same domain may frame the requested resource.
  * ##ALLOW-FROM origin## - Allow a whitelisted origin to frame the requested content.

====X-Frame-Options Resources====

  1. http://tools.ietf.org/html/rfc7034
  1. OWASP: ((https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet Clickjacking Defense Cheat Sheet))

===Content-Security-Policy (CSP)===

HTTP Response header, allows server to control how resources are loaded. 

====Why Content-Security-Policy?====

  * Greatly reduces success of Cross Site Scripting (XSS) attacks.
  * Report / log xss attack attempts

====CSP Directives====
CSP can protect against a variety of unauthorized asset types.
  * ##default-src## – all assets (including scripts) 
  * ##script-src##  – scripts
  * ##style-src## – stylesheets 
  * ##img-src## – limit origins of images
  * ##connect-src## – XHR, WebSockets, EventSource 
  * ##base-uri## –
  * ##font-src## – font files 
  * ##form-action## –
  * ##frame-ancestors## –
  * ##plugin-types## – restricts the set of plugins that can be invoked
  * ##object-src## – Flash and other plugin objects 
  * ##media-src## – audio and video 
  * ##frame-src## – nested browsing contexts sources 
  * ##sandbox##
  * ##report-uri##
  * ##require-sri-for## - instructs the client to require the use of Subresource Integrity for scripts or styles on the page

====CSP Source Expressions====

#|
*|Source Value  | Meaning |*
||* | Wildcard, allows all origins. ||
||'self'  | Allow same origin. ||
||'none' | Don't allow any resources of this type to load. ||
||domain.example.com | Allow a domain ||
||*.example.com | Allow all subdomains on a domain. ||
||https://example.com | Scheme specific. ||
||https: | Require https. ||
||data: | Allow data uri schemes. ||
|#

====unsafe-inline====

  *  When ##script-src## or ##style-src##
     are enabled inline ##style##
     or ##script##
     tags are disabled.  
    * You can add ##'unsafe-inline'## to allow it, but defeats much of CSP's purpose. 

====unsafe-eval====

  * CSP also disables unsafe dynamic code evaluation, such as the JavaScript eval() function.
    * You can add ##'unsafe-eval'## to a script-src directive to disable this.
	
====CSP Reports====

  * Congure a report-uri to accept CSP exception requests (POST)
  * Be notified of XSS vulnerabilities as they occur
  * Users with CSP-supported browsers make it safer for everybody 

##""Content-Security-Policy: default-src 'self'; report-uri http://example.com/report.php""##

=====Report-only headers=====

  * Content-Security-Policy-Report-Only
  * Notifies you of violations, but won't take action
  * Lets you try CSP risk-free

  Specify a ##report-uri## to receive JSON violation reports
  Report only: ##Content-Security-Policy-Report-Only##

##""Content-Security-Policy-Report-Only: default-src 'self'; report-uri http://example.com/report.php""##

====CSP Browser Support====

  * http://caniuse.com/contentsecuritypolicy2

====CSP Resources====

  * ((http://content-security-policy.com CSP quick reference))
  * W3C: ((http://www.w3.org/TR/CSP2/  Content Security Policy Level 2))
  * W3C: ((https://w3c.github.io/webappsec-csp/ Content Security Policy Level 3))
  * OWASP: ((https://www.owasp.org/index.php/Content_Security_Policy_Cheat_Sheet Content Security Policy Cheat Sheet))
  * Mozilla: ((https://developer.mozilla.org/en-US/docs/Web/Security/CSP/CSP_policy_directives CSP policy directives))

===Referrer Policy===
The Referrer-Policy HTTP header governs which referrer information, sent in the Referer header, should be included with requests made.

====Why Referrer Policy?====

  1. **Privacy** - 
  2. **Security**
  3. **Trackback**

====Referrer Policy Directives====

  1. ##no-referrer## - Do not send a HTTP Referer header.
  1. ##no-referrer-when-downgrade## - Send the origin as a referrer to URLs as secure as the current page, (https→https), but does not send a referrer to less secure URLs (https→http). This is the default behaviour.
  1. ##same-origin## - A referrer will be sent for same-site origins, but cross-origin requests will contain no referrer information.
  1. ##origin## - Send the origin of the document.
  1. ##strict-origin## - Only send the origin of the document as the referrer to a-priori as-much-secure destination (HTTPS->HTTPS), but don't send it to a less secure destination (HTTPS->HTTP).
  1. ##origin-when-cross-origin## - Send the full URL (stripped of parameters) for same-origin requests, but only send the origin for other cases.
  1. ##strict-origin-when-cross-origin## - Send a full URL when performing a same-origin request, only send the origin of the document to a-priori as-much-secure destination (HTTPS->HTTPS), and send no header to a less secure destination (HTTPS->HTTP).
  1. ##unsafe-url## - Send the full URL (stripped of parameters) for same-origin or cross-origin requests.

====Browser Support====

  * https://caniuse.com/#feat=referrer-policy

====Referrer Policy Resources====

  * W3C: ((https://www.w3.org/TR/referrer-policy/ Referrer Policy Specifications))
  * Mozilla: ((https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy Referrer-Policy))
  * https://developer.mozilla.org/en-US/docs/Web/HTML/Element/meta

===Tools===

====Header Analyser====

Analyse the security of your HTTP response headers.
  * https://securityheaders.io/

====CSP Analyser====

Analyse the Content Security Policy of your site or any other site.
  * https://report-uri.com/home/analyse

====CSP Builder====

Quickly and easily build your own Content Security Policy.
  * https://report-uri.com/home/generate

====CSP Hash====

Generate a hash of your JS or CSS to include in your CSP.
  * https://report-uri.com/home/hash

====SRI Hash Generator====

Generate a SRI tag for externally loaded assets.
  * https://www.srihash.org/